We are following the standard AccessLog format:
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
"%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
I would like to modify this format for a custom request (.../exit) to not log sensitive data. Is it possible to filter the route this way?
Init code:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: ***
namespace: ***
spec:
workloadSelector:
labels:
service.istio.io/canonical-name: ***
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
routeConfiguration:
vhost:
name: "*"
route:
name: "/exit"
action: ANY
patch:
operation: MERGE
value:
value:
typed_config:
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
access_log:
- name: envoy.access_loggers.file
typed_config:
"@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog"
path: /dev/stdout
format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% \n"
Anyone has an idea how can I fix this to filter out the /exit requests?
You should be able to do that with the Telemetry resource - I think you can match the specific path with CEL expression in the
filterfield.You can find the list of attributes you can use in the CEL expressions here: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes
Example Telemetry resource with filter:
The
privateLoggingProvideris set in the mesh config:Note that if you know the workloads you want to restrict or change the formats for, you can use the selectors in the Telemetry resource to target the workloads specifically (instead of applying it to all workloads/mesh).