How to get access-logs from OpenShift router (HAProxy)?

Question

How to get access-logs from openshift router (HAproxy).

I tried to use this command:

$ oc project default 
$ oc logs router-1-g...

I got output:

I0129 09:47:17.125616       1 router.go:554] Router reloaded:
 - Checking http://localhost:80 ...
 - Health check ok : 0 retry attempt(s).
I0129 09:47:54.356142       1 router.go:554] Router reloaded:
 - Checking http://localhost:80 ...
 - Health check ok : 0 retry attempt(s).

But there was no information about users traffic (client/server requests/responses).

Please give me advice on how I can debug how this proxy is working?

Answer 1

On Openshift >=4.5 you can do it this way by edititing your ingresscontroller and add the following .spec.logging (see below, log format example included):

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  logging:
    access:
      destination:
        type: Container
      # % formats see here: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3
      httpLogFormat: log_source="haproxy-default" log_type="http" c_ip="%ci" c_port="%cp"
        req_date="%tr" fe_name_transport="%ft" be_name="%b" server_name="%s" res_time="%TR"
        tot_wait_q="%Tw" Tc="%Tc" Tr="%Tr" Ta="%Ta" status_code="%ST" bytes_read="%B"
        bytes_uploaded="%U" captrd_req_cookie="%CC" captrd_res_cookie="%CS" term_state="%tsc"
        actconn="%ac" feconn="%fc" beconn="%bc" srv_conn="%sc" retries="%rc" srv_queue="%sq"
        backend_queue="%bq" captrd_req_headers="%hr" captrd_res_headers="%hs" http_request="%r"

This solution is based on https://access.redhat.com/solutions/3250781.
There is a solution for Openshift 3.x as well.

You may access the logs by doing 'oc logs -n openshift-ingress <your-router-pod-name> -c logs'.

It is also possible to send those logs directly to a syslog server:

apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: default
  namespace: openshift-ingress-operator
spec:
  logging:
    access:
      destination:
        type: Syslog
        syslog:
          address: 1.2.3.4
          port: 10514
      # % formats see here: http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3
      httpLogFormat: log_source="haproxy-default" log_type="http" c_ip="%ci" c_port="%cp"
        req_date="%tr" fe_name_transport="%ft" be_name="%b" server_name="%s" res_time="%TR"
        tot_wait_q="%Tw" Tc="%Tc" Tr="%Tr" Ta="%Ta" status_code="%ST" bytes_read="%B"
        bytes_uploaded="%U" captrd_req_cookie="%CC" captrd_res_cookie="%CS" term_state="%tsc"
        actconn="%ac" feconn="%fc" beconn="%bc" srv_conn="%sc" retries="%rc" srv_queue="%sq"
        backend_queue="%bq" captrd_req_headers="%hr" captrd_res_headers="%hs" http_request="%r"

Answer 2

You will need to point the router at a syslog server to debug the output. No access logs are output by default. You are seeing the logs of the Go process.

I created a rsyslog container some time ago to help debug issues with a custom router. This will log to stdout for debugging purposes only. Follow the instructions in the readme to deploy this within the default project. Shout if you need any further help.