Amazon ECS Service Connect access
logs
Amazon ECS Service Connect supports access logs to provide detailed telemetry about
individual requests processed by the Service Connect proxy. Access logs complement existing
application logs by capturing per-request traffic metadata such as HTTP methods, paths,
response codes, flags, and timing information. This enables deeper observability into
request-level traffic patterns and service interactions for effective troubleshooting and
monitoring.
To enable access logs, specify both the logConfiguration and
accessLogConfiguration objects in the
serviceConnectConfiguration object. You can configure the format of the
logs and whether the logs should include query parameters in the
accessLogConfiguration. The logs are delivered to the destination log group
by the log driver specificied in the logConfiguration.
{
"serviceConnectConfiguration": {
"enabled": true,
"namespace": "myapp.namespace",
"services": [
...
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "my-envoy-log-group",
"awslogs-region": "us-west-2",
"awslogs-stream-prefix": "myapp-envoy-logs"
}
},
"accessLogConfiguration": {
"format": "TEXT",
"includeQueryParameters": "ENABLED"
}
}
}
Considerations
Consider the following when you enable access to access logs
-
Access logs and application logs are both written to /dev/stdout. To separate access logs from application logs, we recommend using the
awsfirelens log driver with a custom Fluent Bit
or Fluentd configuration.
-
We recommend using the awslogs log driver to send
application and access logs to the same CloudWatch destination.
-
access logs are supported on Fargate services that use platform
version 1.4.0 and higher.
-
Query parameters such as request ids and tokens are excluded from access logs by default. To include query parameters in access logs, set includeQueryParameters to "ENABLED".
access logs can be formatted in either JSON format dictionaries or Text format strings, with differences in supported command operators for different types of access logs.
The following command operators are included by default for HTTP logs:
- Text
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
"%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%"\n
- JSON
-
{
"start_time": "%START_TIME%",
"method": "%REQ(:METHOD)%",
"path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
"protocol": "%PROTOCOL%",
"response_code": "%RESPONSE_CODE%",
"bytes_received": "%BYTES_RECEIVED%",
"bytes_sent": "%BYTES_SENT%",
"duration_ms": "%DURATION%",
"upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
"forwarded_for": "%REQ(X-FORWARDED-FOR)%",
"user_agent": "%REQ(USER-AGENT)%",
"request_id": "%REQ(X-REQUEST-ID)%",
"authority": "%REQ(:AUTHORITY)%",
"upstream_host": "%UPSTREAM_HOST%"
}
In addition to the command operators included for HTTP logs, HTTP2 logs include the %STREAM_ID% operator by default.
- Text
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
"%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" "%STREAM_ID%"\n
- JSON
-
{
"start_time": "%START_TIME%",
"method": "%REQ(:METHOD)%",
"path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
"protocol": "%PROTOCOL%",
"response_code": "%RESPONSE_CODE%",
"bytes_received": "%BYTES_RECEIVED%",
"bytes_sent": "%BYTES_SENT%",
"duration": "%DURATION%",
"upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
"forwarded_for": "%REQ(X-FORWARDED-FOR)%",
"user_agent": "%REQ(USER-AGENT)%",
"request_id": "%REQ(X-REQUEST-ID)%",
"authority": "%REQ(:AUTHORITY)%",
"upstream_host": "%UPSTREAM_HOST%",
"stream_id": "%STREAM_ID%"
}
In addition to the command operators included for HTTP logs, gRPC access logs include the %STREAM_ID% and %GRPC_STATUS()%operator by default.
- Text
[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%"
%RESPONSE_CODE% %GRPC_STATUS()% %BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% "%REQ(X-FORWARDED-FOR)%" "%REQ(USER-AGENT)%"
"%REQ(X-REQUEST-ID)%" "%REQ(:AUTHORITY)%" "%UPSTREAM_HOST%" "%STREAM_ID%"\n
- JSON
-
{
"start_time": "%START_TIME%",
"method": "%REQ(:METHOD)%",
"path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%",
"protocol": "%PROTOCOL%",
"response_code": "%RESPONSE_CODE%",
"grpc_status": "%GRPC_STATUS()%",
"bytes_received": "%BYTES_RECEIVED%",
"bytes_sent": "%BYTES_SENT%",
"duration": "%DURATION%",
"upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%",
"forwarded_for": "%REQ(X-FORWARDED-FOR)%",
"user_agent": "%REQ(USER-AGENT)%",
"request_id": "%REQ(X-REQUEST-ID)%",
"authority": "%REQ(:AUTHORITY)%",
"upstream_host": "%UPSTREAM_HOST%",
"stream_id": "%STREAM_ID%"
}
The following command operators are included by default in TCP access logs:
- Text
[%START_TIME%] %DOWNSTREAM_REMOTE_ADDRESS% %DOWNSTREAM_REMOTE_PORT%
%BYTES_RECEIVED% %BYTES_SENT% %DURATION%
%CONNECTION_TERMINATION_DETAILS% %CONNECTION_ID%\n
- JSON
-
{
"start_time": "%START_TIME%",
"downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%",
"downstream_remote_port": "%DOWNSTREAM_REMOTE_PORT%",s
"bytes_received": "%BYTES_RECEIVED%",
"bytes_sent": "%BYTES_SENT%",
"duration": "%DURATION%",
"connection_termination_details": "%CONNECTION_TERMINATION_DETAILS%",
"connection_id": %CONNECTION_ID%
}
For more information about these command operators, see Command Operators in the Envoy documentation.
