Skip to main content
Calico Enterprise 3.20 (latest) documentation

Configure L7 logs

Big picture

Deploy Envoy and use Calico Enterprise L7 logs to monitor application activity.

Value

Just like L3/4 Calico Enterprise logs, platform operators and development teams want visibility into L7 logs to see how applications are interacting with each other. Calico Enterprise flow logs only display which workloads are communicating with each other, not the specific request details. Calico Enterprise provides visibility into L7 traffic without the need for a service mesh.

L7 logs are also key for detecting anomalous behaviors like attempts to access applications, restricted URLs, and scans for particular URLs.

Concepts

About L7 logs

L7 logs capture application interactions from HTTP header data in requests. Data shows what is actually sent in communications between specific pods, providing more specificity than flow logs. (Flow logs capture data only from connections for workload interactions).

Calico Enterprise collects L7 logs by sending the selected traffic through an Envoy proxy.

L7 logs are visible in the web console, service graph, in the HTTP tab.

Before you begin

Limitations

  • L7 log collection is not compatible with a service mesh such as Istio.
  • L7 log collection is not supported for host-networked client pods.
  • L7 log collection is supported only on Kubernetes 1.29 and later.
important

When you enable L7 log collection for a deployment, all of that deployment's pods will restart. Selecting and deselecting traffic for L7 log collection may result in disruptions for active connections.

note

L7 logs require a minimum of 1 additional GB of log storage per node, per one-day retention period. Adjust your Log Storage before you start tasks in the next section.

Configure Felix for log data collection

  1. Configure L7 log aggregation, retention, and reporting.

    For help, see Felix Configuration documentation.

Configure L7 logs

In this step, you will configure L7 logs, select logs for collection, and test the configuration.

Configure the ApplicationLayer resource for L7 logs

  1. Create or update the ApplicationLayer resource named, tigera-secure.

    Example:

    kubectl apply -f - <<EOF
    apiVersion: operator.tigera.io/v1
    kind: ApplicationLayer
    metadata:
      name: tigera-secure
    spec:
      # log collection is implemented via sidecar
      sidecarInjection: Enabled
      # the following configures the log collection and aggregation behaviour
      logCollection:
        collectLogs: Enabled
        logIntervalSeconds: 5
        logRequestsPerInterval: -1
    EOF

    Read more about the log collection specification here.

    Applying this resource creates an l7-log-collector daemonset in calico-system namespace.

  2. Wait for the Log collection daemonset to progress to ready

    kubectl rollout status -n calico-system ds/l7-log-collector

Select traffic for L7 log collection

  1. Patch your application deployments you wish to collect L7 logs as shown.

    kubectl patch deployment <deployment-name> -n <deployment-namespace> -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/logging":"Enabled"}}}}}'

  2. To disable L7 log collection, remove the label and annotation.

    kubectl patch deployment <deployment-name> -n <deployment-namespace> --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1logging"}]'

Test your configuration

  1. Identify the path to access your cluster. Where <path> can be:

    • Public address of your cluster/service or
    • Cluster IP of your application's service (if testing within the cluster)

  2. curl your service with a command similar to the following. You will see Server header as envoy.

    curl --head <path to access service>:<optional port>/<path>

View L7 logs in the web console

Service Graph

To view L7 logs in Service Graph:

  1. In the web console left navbar, click Service Graph.

  2. In the bottom pane you will see L7 logs in the HTTP tab.

    l7-logs

Kibana

To view L7 logs by index pattern in Kibana:

  1. In the web console left navbar, click Kibana.

  2. In the new Kibana browser, click the hamburger icon in the top left corner, and select Analytics, Discover.

  3. Select the index pattern, tigera_secure_ee_l7.