diff --git a/calico-cloud/observability/elastic/l7/configure.mdx b/calico-cloud/observability/elastic/l7/configure.mdx index 47a9fb7aa4..e80b6d24b4 100644 --- a/calico-cloud/observability/elastic/l7/configure.mdx +++ b/calico-cloud/observability/elastic/l7/configure.mdx @@ -40,32 +40,36 @@ L7 logs are visible in the web console, service graph, in the HTTP tab. **Not supported** - GKE -**Limitations** +### Limitations -- L7 log collection is not supported for host-networked client pods. -- When selecting and deselecting traffic for L7 log collection, active connections may be disrupted. +* L7 log collection is not compatible with a service mesh such as Istio. +* L7 log collection is not supported for host-networked client pods. +* L7 log collection is supported only on Kubernetes 1.29 and later. -{/*TODO-XREFS-CC -Note removed for CC -*/} +:::important -## How to +When you enable L7 log collection for a deployment, all of that deployment's pods will restart. +Selecting and deselecting traffic for L7 log collection may result in disruptions for active connections. -- [Configure Felix for log data collection](#configure-felix-for-log-data-collection) -- [Configure L7 logs](#configure-l7-logs) -- [View L7 logs in the web console](#view-l7-logs-in-manager-ui) +::: + +:::note + +L7 logs require a minimum of 1 additional GB of log storage per node, per one-day retention period. Adjust your [Log Storage](../../../operations/logstorage/adjust-log-storage-size.mdx) before you start tasks in the next section. + +::: -### Configure Felix for log data collection +## Configure Felix for log data collection 1. Configure L7 log aggregation, retention, and reporting. For help, see [Felix Configuration documentation](../../../reference/component-resources/node/felix/configuration.mdx#calico-enterprise-specific-configuration). -### Configure L7 logs +## Configure L7 logs In this step, you will configure L7 logs, select logs for collection, and test the configuration. -**Configure the ApplicationLayer resource for L7 logs** +### Configure the ApplicationLayer resource for L7 logs 1. Create or update the [ApplicationLayer](../../../reference/installation/api.mdx#applicationlayer) resource named, `tigera-secure`. @@ -99,25 +103,44 @@ In this step, you will configure L7 logs, select logs for collection, and test t kubectl rollout status -n calico-system ds/l7-log-collector --timeout=120s ``` -**Select traffic for L7 log collection** +### Quickstart: enable log collection on an example app -1. Annotate the services you wish to collect L7 logs as shown. +1. Install Google Microservices Demo ```bash - kubectl annotate svc -n projectcalico.org/l7-logging=true + kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/refs/heads/main/release/kubernetes-manifests.yaml ``` -2. To disable the L7 log collection, remove the annotation. + without the `-n ` flag, it is going to be installed in the `default` namespace. if you wish to install in a different namespace, specify the `-n ` flag on all other commands in this tutorial from this point on. + +1. Patch the `frontend` application deployment to start collecting L7 logs for this application ```bash - kubectl annotate svc -n projectcalico.org/l7-logging- + kubectl patch deployment frontend -p '{"spec":{"template":{"metadata":{"labels":{"applicationlayer.projectcalico.org/sidecar":"true"},"annotations":{"applicationlayer.projectcalico.org/logging":"Enabled"}}}}}' ``` -After annotating a service for L7 log collection, only newly-established connections through that service are proxied by Envoy. Connections established before the service is annotated are not proxied or interrupted, and no logs are generated. + The above command applies the following patch: + 1. ensures pods in your `frontend` deployment pod template spec has the label `applicationlayer.projectcalico.org/sidecar: true` + 1. ensures pods in your `frontend` deployment pod template spec has the following annotations: + - `applicationlayer.projectcalico.org/logging: Enabled` -Conversely, when a service is deselected, any previous connections established through the annotated service continue to be proxied by Envoy until they are terminated, and logs are generated. + Deployment pods will then be expected to restart. Monitor its progress with: + + ```bash + kubectl rollout status deployment frontend + ``` + + [Google Microservices Demo](https://github.com/GoogleCloudPlatform/microservices-demo) includes a load generator. L7 logs should now start displaying log entries that can be viewed via [various UIs](#view-l7-logs-in-the-web-console) + + Alternatively, it is possible to test your configuration [manually](#test-your-configuration). + +1. To disable L7 log collection, reverse the above patch with the following command. + + ```bash + kubectl patch deployment frontend --type='json' -p '[{"op":"remove","path":"/spec/template/metadata/labels/applicationlayer.projectcalico.org~1sidecar"},{"op":"remove","path":"/spec/template/metadata/annotations/applicationlayer.projectcalico.org~1logging"}]' + ``` -**Test your configuration** +### Test your configuration 1. Identify the path to access your cluster. Where `` can be: @@ -131,9 +154,9 @@ Conversely, when a service is deselected, any previous connections established t curl --head :/ ``` -### View L7 logs in the web console +## View L7 logs in the web console -**Service Graph** +### Service Graph To view L7 logs in Service Graph: @@ -142,7 +165,7 @@ To view L7 logs in Service Graph: ![l7-logs](/img/calico-enterprise/l7-logs.png) -**Kibana** +### Kibana To view L7 logs by index pattern in Kibana: