syntax = "proto3"; package envoy.data.accesslog.v3; import "envoy/config/core/v3/address.proto"; import "envoy/config/core/v3/base.proto"; import "google/protobuf/any.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.data.accesslog.v3"; option java_outer_classname = "AccesslogProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/data/accesslog/v3;accesslogv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: gRPC access logs] // Envoy access logs describe incoming interaction with Envoy over a fixed // period of time, and typically cover a single request/response exchange, // (e.g. HTTP), stream (e.g. over HTTP/gRPC), or proxied connection (e.g. TCP). // Access logs contain fields defined in protocol-specific protobuf messages. // // Except where explicitly declared otherwise, all fields describe // *downstream* interaction between Envoy and a connected client. // Fields describing *upstream* interaction will explicitly include ``upstream`` // in their name. message TCPAccessLogEntry { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.TCPAccessLogEntry"; // Common properties shared by all Envoy access logs. AccessLogCommon common_properties = 1; // Properties of the TCP connection. ConnectionProperties connection_properties = 2; } message HTTPAccessLogEntry { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.HTTPAccessLogEntry"; // HTTP version enum HTTPVersion { PROTOCOL_UNSPECIFIED = 0; HTTP10 = 1; HTTP11 = 2; HTTP2 = 3; HTTP3 = 4; } // Common properties shared by all Envoy access logs. AccessLogCommon common_properties = 1; HTTPVersion protocol_version = 2; // Description of the incoming HTTP request. HTTPRequestProperties request = 3; // Description of the outgoing HTTP response. HTTPResponseProperties response = 4; } // Defines fields for a connection message ConnectionProperties { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.ConnectionProperties"; // Number of bytes received from downstream. uint64 received_bytes = 1; // Number of bytes sent to downstream. uint64 sent_bytes = 2; } // Defines fields that are shared by all Envoy access logs. // [#next-free-field: 28] message AccessLogCommon { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.AccessLogCommon"; // [#not-implemented-hide:] // This field indicates the rate at which this log entry was sampled. // Valid range is (0.0, 1.0]. double sample_rate = 1 [(validate.rules).double = {lte: 1.0 gt: 0.0}]; // This field is the remote/origin address on which the request from the user was received. // Note: This may not be the physical peer. E.g, if the remote address is inferred from for // example the x-forwarder-for header, proxy protocol, etc. config.core.v3.Address downstream_remote_address = 2; // This field is the local/destination address on which the request from the user was received. config.core.v3.Address downstream_local_address = 3; // If the connection is secure,S this field will contain TLS properties. TLSProperties tls_properties = 4; // The time that Envoy started servicing this request. This is effectively the time that the first // downstream byte is received. google.protobuf.Timestamp start_time = 5; // Interval between the first downstream byte received and the last // downstream byte received (i.e. time it takes to receive a request). google.protobuf.Duration time_to_last_rx_byte = 6; // Interval between the first downstream byte received and the first upstream byte sent. There may // by considerable delta between ``time_to_last_rx_byte`` and this value due to filters. // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about // not accounting for kernel socket buffer time, etc. google.protobuf.Duration time_to_first_upstream_tx_byte = 7; // Interval between the first downstream byte received and the last upstream byte sent. There may // by considerable delta between ``time_to_last_rx_byte`` and this value due to filters. // Additionally, the same caveats apply as documented in ``time_to_last_downstream_tx_byte`` about // not accounting for kernel socket buffer time, etc. google.protobuf.Duration time_to_last_upstream_tx_byte = 8; // Interval between the first downstream byte received and the first upstream // byte received (i.e. time it takes to start receiving a response). google.protobuf.Duration time_to_first_upstream_rx_byte = 9; // Interval between the first downstream byte received and the last upstream // byte received (i.e. time it takes to receive a complete response). google.protobuf.Duration time_to_last_upstream_rx_byte = 10; // Interval between the first downstream byte received and the first downstream byte sent. // There may be a considerable delta between the ``time_to_first_upstream_rx_byte`` and this field // due to filters. Additionally, the same caveats apply as documented in // ``time_to_last_downstream_tx_byte`` about not accounting for kernel socket buffer time, etc. google.protobuf.Duration time_to_first_downstream_tx_byte = 11; // Interval between the first downstream byte received and the last downstream byte sent. // Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta // between ``time_to_last_upstream_rx_byte`` and this field. Note also that this is an approximate // time. In the current implementation it does not include kernel socket buffer time. In the // current implementation it also does not include send window buffering inside the HTTP/2 codec. // In the future it is likely that work will be done to make this duration more accurate. google.protobuf.Duration time_to_last_downstream_tx_byte = 12; // The upstream remote/destination address that handles this exchange. This does not include // retries. config.core.v3.Address upstream_remote_address = 13; // The upstream local/origin address that handles this exchange. This does not include retries. config.core.v3.Address upstream_local_address = 14; // The upstream cluster that ``upstream_remote_address`` belongs to. string upstream_cluster = 15; // Flags indicating occurrences during request/response processing. ResponseFlags response_flags = 16; // All metadata encountered during request processing, including endpoint // selection. // // This can be used to associate IDs attached to the various configurations // used to process this request with the access log entry. For example, a // route created from a higher level forwarding rule with some ID can place // that ID in this field and cross reference later. It can also be used to // determine if a canary endpoint was used or not. config.core.v3.Metadata metadata = 17; // If upstream connection failed due to transport socket (e.g. TLS handshake), provides the // failure reason from the transport socket. The format of this field depends on the configured // upstream transport socket. Common TLS failures are in // :ref:`TLS trouble shooting `. string upstream_transport_failure_reason = 18; // The name of the route string route_name = 19; // This field is the downstream direct remote address on which the request from the user was // received. Note: This is always the physical peer, even if the remote address is inferred from // for example the x-forwarder-for header, proxy protocol, etc. config.core.v3.Address downstream_direct_remote_address = 20; // Map of filter state in stream info that have been configured to be logged. If the filter // state serialized to any message other than ``google.protobuf.Any`` it will be packed into // ``google.protobuf.Any``. map filter_state_objects = 21; // A list of custom tags, which annotate logs with additional information. // To configure this value, users should configure // :ref:`custom_tags `. map custom_tags = 22; // For HTTP: Total duration in milliseconds of the request from the start time to the last byte out. // For TCP: Total duration in milliseconds of the downstream connection. // This is the total duration of the request (i.e., when the request's ActiveStream is destroyed) // and may be longer than ``time_to_last_downstream_tx_byte``. google.protobuf.Duration duration = 23; // For HTTP: Number of times the request is attempted upstream. Note that the field is omitted when the request was never attempted upstream. // For TCP: Number of times the connection request is attempted upstream. Note that the field is omitted when the connect request was never attempted upstream. uint32 upstream_request_attempt_count = 24; // Connection termination details may provide additional information about why the connection was terminated by Envoy for L4 reasons. string connection_termination_details = 25; // Optional unique id of stream (TCP connection, long-live HTTP2 stream, HTTP request) for logging and tracing. // This could be any format string that could be used to identify one stream. string stream_id = 26; // If this log entry is final log entry that flushed after the stream completed or // intermediate log entry that flushed periodically during the stream. // There may be multiple intermediate log entries and only one final log entry for each // long-live stream (TCP connection, long-live HTTP2 stream). // And if it is necessary, unique ID or identifier can be added to the log entry // :ref:`stream_id ` to // correlate all these intermediate log entries and final log entry. bool intermediate_log_entry = 27; } // Flags indicating occurrences during request/response processing. // [#next-free-field: 28] message ResponseFlags { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.ResponseFlags"; message Unauthorized { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.ResponseFlags.Unauthorized"; // Reasons why the request was unauthorized enum Reason { REASON_UNSPECIFIED = 0; // The request was denied by the external authorization service. EXTERNAL_SERVICE = 1; } Reason reason = 1; } // Indicates local server healthcheck failed. bool failed_local_healthcheck = 1; // Indicates there was no healthy upstream. bool no_healthy_upstream = 2; // Indicates an there was an upstream request timeout. bool upstream_request_timeout = 3; // Indicates local codec level reset was sent on the stream. bool local_reset = 4; // Indicates remote codec level reset was received on the stream. bool upstream_remote_reset = 5; // Indicates there was a local reset by a connection pool due to an initial connection failure. bool upstream_connection_failure = 6; // Indicates the stream was reset due to an upstream connection termination. bool upstream_connection_termination = 7; // Indicates the stream was reset because of a resource overflow. bool upstream_overflow = 8; // Indicates no route was found for the request. bool no_route_found = 9; // Indicates that the request was delayed before proxying. bool delay_injected = 10; // Indicates that the request was aborted with an injected error code. bool fault_injected = 11; // Indicates that the request was rate-limited locally. bool rate_limited = 12; // Indicates if the request was deemed unauthorized and the reason for it. Unauthorized unauthorized_details = 13; // Indicates that the request was rejected because there was an error in rate limit service. bool rate_limit_service_error = 14; // Indicates the stream was reset due to a downstream connection termination. bool downstream_connection_termination = 15; // Indicates that the upstream retry limit was exceeded, resulting in a downstream error. bool upstream_retry_limit_exceeded = 16; // Indicates that the stream idle timeout was hit, resulting in a downstream 408. bool stream_idle_timeout = 17; // Indicates that the request was rejected because an envoy request header failed strict // validation. bool invalid_envoy_request_headers = 18; // Indicates there was an HTTP protocol error on the downstream request. bool downstream_protocol_error = 19; // Indicates there was a max stream duration reached on the upstream request. bool upstream_max_stream_duration_reached = 20; // Indicates the response was served from a cache filter. bool response_from_cache_filter = 21; // Indicates that a filter configuration is not available. bool no_filter_config_found = 22; // Indicates that request or connection exceeded the downstream connection duration. bool duration_timeout = 23; // Indicates there was an HTTP protocol error in the upstream response. bool upstream_protocol_error = 24; // Indicates no cluster was found for the request. bool no_cluster_found = 25; // Indicates overload manager terminated the request. bool overload_manager = 26; // Indicates a DNS resolution failed. bool dns_resolution_failure = 27; } // Properties of a negotiated TLS connection. // [#next-free-field: 8] message TLSProperties { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.TLSProperties"; enum TLSVersion { VERSION_UNSPECIFIED = 0; TLSv1 = 1; TLSv1_1 = 2; TLSv1_2 = 3; TLSv1_3 = 4; } message CertificateProperties { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.TLSProperties.CertificateProperties"; message SubjectAltName { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.TLSProperties.CertificateProperties.SubjectAltName"; oneof san { string uri = 1; // [#not-implemented-hide:] string dns = 2; } } // SANs present in the certificate. repeated SubjectAltName subject_alt_name = 1; // The subject field of the certificate. string subject = 2; } // Version of TLS that was negotiated. TLSVersion tls_version = 1; // TLS cipher suite negotiated during handshake. The value is a // four-digit hex code defined by the IANA TLS Cipher Suite Registry // (e.g. ``009C`` for ``TLS_RSA_WITH_AES_128_GCM_SHA256``). // // Here it is expressed as an integer. google.protobuf.UInt32Value tls_cipher_suite = 2; // SNI hostname from handshake. string tls_sni_hostname = 3; // Properties of the local certificate used to negotiate TLS. CertificateProperties local_certificate_properties = 4; // Properties of the peer certificate used to negotiate TLS. CertificateProperties peer_certificate_properties = 5; // The TLS session ID. string tls_session_id = 6; // The ``JA3`` fingerprint when ``JA3`` fingerprinting is enabled. string ja3_fingerprint = 7; } // [#next-free-field: 14] message HTTPRequestProperties { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.HTTPRequestProperties"; // The request method (RFC 7231/2616). config.core.v3.RequestMethod request_method = 1 [(validate.rules).enum = {defined_only: true}]; // The scheme portion of the incoming request URI. string scheme = 2; // HTTP/2 ``:authority`` or HTTP/1.1 ``Host`` header value. string authority = 3; // The port of the incoming request URI // (unused currently, as port is composed onto authority). google.protobuf.UInt32Value port = 4; // The path portion from the incoming request URI. string path = 5; // Value of the ``User-Agent`` request header. string user_agent = 6; // Value of the ``Referer`` request header. string referer = 7; // Value of the ``X-Forwarded-For`` request header. string forwarded_for = 8; // Value of the ``X-Request-Id`` request header // // This header is used by Envoy to uniquely identify a request. // It will be generated for all external requests and internal requests that // do not already have a request ID. string request_id = 9; // Value of the ``X-Envoy-Original-Path`` request header. string original_path = 10; // Size of the HTTP request headers in bytes. // // This value is captured from the OSI layer 7 perspective, i.e. it does not // include overhead from framing or encoding at other networking layers. uint64 request_headers_bytes = 11; // Size of the HTTP request body in bytes. // // This value is captured from the OSI layer 7 perspective, i.e. it does not // include overhead from framing or encoding at other networking layers. uint64 request_body_bytes = 12; // Map of additional headers that have been configured to be logged. map request_headers = 13; } // [#next-free-field: 7] message HTTPResponseProperties { option (udpa.annotations.versioning).previous_message_type = "envoy.data.accesslog.v2.HTTPResponseProperties"; // The HTTP response code returned by Envoy. google.protobuf.UInt32Value response_code = 1; // Size of the HTTP response headers in bytes. // // This value is captured from the OSI layer 7 perspective, i.e. it does not // include overhead from framing or encoding at other networking layers. uint64 response_headers_bytes = 2; // Size of the HTTP response body in bytes. // // This value is captured from the OSI layer 7 perspective, i.e. it does not // include overhead from framing or encoding at other networking layers. uint64 response_body_bytes = 3; // Map of additional headers configured to be logged. map response_headers = 4; // Map of trailers configured to be logged. map response_trailers = 5; // The HTTP response code details. string response_code_details = 6; }