Skip to main content
Istio’s access logs come from the Envoy sidecar in each pod. Enable them with the Telemetry API, then collect the sidecar stdout with the same pod-log collector you use for the rest of the cluster.

Prerequisites

  • A Bronto account and API key (how to create one)
  • Istio installed with sidecar injection enabled (Istio 1.12+ for the Telemetry API)
  • A pod-log collector already running — see Kubernetes

Enable Istio access logging

Apply a mesh-wide Telemetry resource in the istio-system namespace using the built-in envoy provider, which logs to each sidecar’s stdout:
telemetry.yaml
apiVersion: telemetry.istio.io/v1
kind: Telemetry
metadata:
  name: mesh-default
  namespace: istio-system
spec:
  accessLogging:
    - providers:
        - name: envoy

kubectl apply -f telemetry.yaml
To scope logging to a single namespace, apply the resource there instead of istio-system.

Collect with your existing setup

Once access logging is on, sidecars write to stdout — your Kubernetes DaemonSet already forwards pod logs to Bronto, so no extra collector config is needed. Use the x-bronto-collection header to tag the cluster.

Distributed tracing

The same Telemetry API can enable mesh tracing: add a tracing provider that points at an OpenTelemetry Collector, which exports spans to Bronto. See Send Traces to Bronto.

What you will see in Bronto

Filter by your collection. Each request log includes the source and destination workload and namespace, method, path, response code, duration, bytes, and Envoy response flags. Bronto’s Custom Parser extracts these fields.

Troubleshooting

  • No access logs? Confirm the sidecar is injected (kubectl get pod <pod> -o jsonpath='{.spec.containers[*].name}' should list istio-proxy) and that the Telemetry resource is in istio-system.
  • Older Istio (pre-1.12): the Telemetry API isn’t available — enable access logs through the mesh config (accessLogFile: /dev/stdout) instead.
  • For collection issues, see the Kubernetes page.

Alternative: Fluent Bit

Collection is handled by your pod-log agent, so if you run the Fluent Bit DaemonSet from the Kubernetes page, Istio access logs are already included — no Istio-specific Fluent Bit config is required.