All Products
Search

This Product

    Alibaba Cloud Service Mesh:ASM observability configuration

    Document Center

    Alibaba Cloud Service Mesh:ASM observability configuration

    Last Updated:Mar 10, 2026

    When you operate a service mesh, you need visibility into how traffic flows between services, where latency occurs, and what errors your workloads produce. Service Mesh (ASM) provides centralized observability controls for access logs, metrics, and distributed tracing. You can apply these controls at three levels of granularity -- globally, per namespace, or per workload -- so that different parts of your mesh can have independent observability configurations.

    Prerequisites

    Before you begin, make sure you have:

    Configuration scopes and inheritance

    ASM supports three scopes for observability settings.

    ScopeWhat it coversConstraints
    GlobalLogs, metrics, and tracing for the entire meshExactly one global configuration exists and cannot be deleted. Tracing settings are only available at this level (before version 1.24.6.83).
    NamespaceLogs and metrics for a single namespaceEach namespace supports at most one namespace-level configuration.
    CustomLogs and metrics for workloads that match specific labelsEach workload can be matched by at most one custom configuration.

    Apply settings at each scope

    All three scopes share the same starting steps. The difference is which tab you select and what additional parameters you provide.

    Global scope

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Observability Settings.

    3. On the Observability Settings page, click the Global tab, configure logs, metrics, and tracing as needed, and then click Submit.

    Namespace scope

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Observability Settings.

    3. On the Observability Configuration page, click the Namespace tab, click Create, select the target Namespace, configure logs and metrics as needed, and then click Create.

    Custom (workload) scope

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose Observability Management Center > Observability Settings.

    3. On the Observability Configuration page, click the Custom tab, select the target Namespace, click Create, enter a Name and Matching Labels, configure logs and metrics as needed, and then click Create.

    The following sections describe each configuration area in detail.

    Configure access logs

    Enable or disable log output

    In the Log Settings area, turn the Enable Log Output switch on or off.

    • On: The Envoy proxy on the data plane outputs access logs to the container's standard output.

    • Off: The Envoy proxy stops writing access logs to the container's standard output.

    After you enable log output, verify that logs are flowing.

    View Waypoint logs

    kubectl -n istio-egress logs deployments/waypoint  | tail -1 | jq

    View sample output

    {
  "authority_for": "httpbin.test.com",
  "bytes_received": 0,
  "bytes_sent": 0,
  "downstream_local_address": "240.240.0.5:80",
  "downstream_remote_address": "10.18.190.138:49132",
  "duration": 346,
  "istio_policy_status": null,
  "method": "HEAD",
  "path": "/",
  "protocol": "HTTP/1.1",
  "request_id": "d3f48714-0e88-9534-a3f9-a639fd22defe",
  "requested_server_name": null,
  "response_code": 0,
  "response_flags": "DC",
  "route_name": "default",
  "start_time": "2025-08-18T11:01:13.249Z",
  "trace_id": null,
  "upstream_cluster": "inbound-vip|80|http|httpbin.test.com;",
  "upstream_host": null,
  "upstream_local_address": null,
  "upstream_response_time": null,
  "upstream_service_time": null,
  "upstream_transport_failure_reason": null,
  "user_agent": "curl/8.1.2",
  "x_forwarded_for": null
}

    View ingress gateway logs

    kubectl -n istio-system logs istio-ingressgateway-6cff9b6b58-r**** --tail 1

    View sample output

    {
    "authority_for":"47.110.XX.XXX",
    "bytes_received":"0",
    "bytes_sent":"22382",
    "downstream_local_address":"192.168.0.63:80",
    "downstream_remote_address":"221.220.XXX.XXX:64284",
    "duration":"81",
    "istio_policy_status":"-",
    "method":"GET",
    "path":"/static/favicon.ico",
    "protocol":"HTTP/1.1",
    "request_id":"0f2cf829-3da5-4810-a618-08d9745d****",
    "requested_server_name":"-",
    "response_code":"200",
    "response_flags":"-",
    "route_name":"httpbin",
    "start_time":"2023-06-30T04:00:36.841Z",
    "trace_id":"-",
    "upstream_cluster":"outbound|8000||httpbin.default.svc.cluster.local",
    "upstream_host":"192.168.0.29:80",
    "upstream_local_address":"192.168.0.63:36140",
    "upstream_response_time":"81",
    "upstream_service_time":"81",
    "upstream_transport_failure_reason":"-",
    "user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.X.X Safari/537.36",
    "x_forwarded_for":"221.220.XXX.XXX"
}

    (Optional) View access logs in the ACK console

    If your workloads run in a Container Service for Kubernetes (ACK) cluster, you can also view access logs through the ACK console:

    1. Log on to the ACK console. In the left-side navigation pane, choose Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Workloads > Pods.

    3. On the Pods page, click the name of the target pod, and then click the Logs tab to view the access log.

    Set the log output format

    Note

    This setting requires ASM version 1.20.6.36 or later. To upgrade, see Upgrade an ASM instance.

    In the Log Settings area, set Log Output Format to one of the following:

    FormatBehavior
    JSONAccess logs are written as JSON strings to the container's standard output.
    TEXTAccess logs are written as plain text strings to the container's standard output.

    Customize the log format

    You can add custom fields to the access log to capture values from request headers, response headers, or Envoy built-in attributes. This requires Enable Log Output to be turned on.

    1. In the Log Settings area, select or modify fields as needed. To add a field, click the add icon icon at the bottom of the field list. The default log fields in the Log Format area are required and cannot be modified. Example: To include the Accept-Encoding request header in the access log, set accessLogFormat key to accept-encoding, Type to Request Properties, and accessLogFormat value to Accept-Encoding.

      Log Format.png

    2. Run the following command to verify that the custom field appears in the logs:

         kubectl logs httpbin-5c5944c58c-w**** -c istio-proxy --tail 1|grep accept-encoding --color=auto

      View sample output

      {
       "bytes_received":"0",
       "bytes_sent":"9593",
       "downstream_local_address":"192.168.0.29:80",
       "downstream_remote_address":"69.164.XXX.XX:0",
       "duration":"2",
       "istio_policy_status":"-",
       "method":"GET",
       "path":"/",
       "protocol":"HTTP/1.1",
       "request_id":"29939dc9-62be-4ddf-acf6-32cb098d****",
       "requested_server_name":"outbound_.8000_._.httpbin.default.svc.cluster.local",
       "response_code":"200",
       "response_flags":"-",
       "route_name":"default",
       "start_time":"2023-06-30T04:18:19.734Z",
       "trace_id":"-",
       "upstream_cluster":"inbound|80||",
       "upstream_host":"192.168.0.29:80",
       "upstream_local_address":"127.0.X.X:34723",
       "upstream_service_time":"2",
       "upstream_transport_failure_reason":"-",
       "user_agent":"Mozilla/5.0 zgrab/0.x",
       "x_forwarded_for":"69.164.XXX.XX",
       "authority_for":"47.110.XX.XXX",
       "upstream_response_time":"2",
       "accept-encoding":"gzip"
}

      Sample output (note the accept-encoding field at the bottom).

    Filter access logs with CEL expressions

    To log only requests that match specific criteria, select Enable Log Filter below the Log Settings area and enter a Common Expression Language (CEL) filtering expression. Requests that do not match the expression are excluded from the log output.

    For example, to output logs only for requests with a response status code of 400 or higher, use the expression response.code >= 400.

    CEL attribute reference

    The following table lists commonly used attributes in CEL filter expressions. For more information, see CEL and Envoy attributes.

    AttributeTypeDescription
    request.pathstringPath of the request
    request.url_pathstringPath without the query string
    request.hoststringHostname portion of the URL
    request.methodstringHTTP method
    request.headersmap<string, string>All request headers, indexed by lowercase header name
    request.useragentstringValue of the User-Agent header
    request.timetimestampTime when the first byte of the request arrives
    request.idstringRequest ID
    request.protocolstringProtocol: HTTP/1.0, HTTP/1.1, HTTP/2, or HTTP/3
    request.querystringQuery string from the request URL
    response.codeintHTTP response status code
    response.code_detailsstringResponse code details
    response.grpc_statusintgRPC status code
    response.headersmap<string, string>All response headers, indexed by lowercase header name
    response.sizeintResponse body size in bytes
    response.total_sizeintTotal response message size in bytes

    Configure metrics

    Enable or disable metrics

    ASM collects two categories of metrics depending on whether the Envoy proxy is acting as a client or a server:

    CategoryWhen generatedTraffic types
    Client-side metricsWhen Envoy initiates outbound requestsSidecar egress traffic (application-to-application through a sidecar) and gateway traffic
    Server-side metricsWhen Envoy receives inbound requestsSidecar ingress traffic (requests arriving at the proxied application) and Waypoint traffic

    To enable or disable individual metrics:

    1. In the Metric Settings area, locate the Client-side Metrics (Gateway and Sidecar Outbound) or Server-side Metrics (Sidecar Inbound) column.

    2. Select or clear the Enable checkbox for each metric.

      • Enabled: The Envoy proxy exposes the metric through the /stats/prometheus path on port 15020.

      • Disabled: The metric is not exposed.

    3. Run the following command to verify that the expected metrics are exposed: Sample output:

         kubectl exec httpbin-5c5944c58c-w**** -c istio-proxy -- curl 127.0.0.1:15020/stats/prometheus|head -n 10
         # TYPE istio_agent_cert_expiry_seconds gauge
   istio_agent_cert_expiry_seconds{resource_name="default"} 46725.287654548
   # HELP istio_agent_endpoint_no_pod Endpoints without an associated pod.
   # TYPE istio_agent_endpoint_no_pod gauge
   istio_agent_endpoint_no_pod 0
   # HELP istio_agent_go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
   # TYPE istio_agent_go_gc_duration_seconds summary
   istio_agent_go_gc_duration_seconds{quantile="0"} 5.0149e-05
   istio_agent_go_gc_duration_seconds{quantile="0.25"} 9.8807e-05
   ......

    Manage metric dimensions

    Metric dimensions add labels to each metric, giving you finer-grained filtering in Prometheus. For example, use the source_app dimension to filter metrics by the originating application.

    Important

    Removing unneeded default dimensions reduces memory consumption for both Envoy and Prometheus. Because most dimensions are typically retained, the Metric Settings area displays only the dimensions that have been removed.

    Edit default dimensions

    1. In the Metric Settings area, under Client-side Metrics (Gateway and Sidecar Outbound) or Server-side Metrics (Sidecar Inbound), click Edit dimension for the target metric.

    2. In the Customize CLIENT dimension configuration or Customize SERVER dimension configuration dialog box, select or deselect dimensions, and then click Submit.

    Example: With all dimensions enabled, the istio_request_bytes_sum metric (corresponding to REQUEST_SIZE on the dashboard) includes every label:

    istio_request_bytes_sum{reporter="destination",source_workload="istio-ingressgateway",source_canonical_service="unknown",source_canonical_revision="latest",source_workload_namespace="istio-system",source_principal="spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway",source_app="istio-ingressgateway",source_version="unknown",source_cluster="c479fc4abd2734bfaaa54e9e36fb26c01",destination_workload="httpbin",destination_workload_namespace="default",destination_principal="spiffe://cluster.local/ns/default/sa/httpbin",destination_app="httpbin",destination_version="v1",destination_service="httpbin.default.svc.cluster.local",destination_canonical_service="httpbin",destination_canonical_revision="v1",destination_service_name="httpbin",destination_service_namespace="default",destination_cluster="c479fc4abd2734bfaaa54e9e36fb26c01",request_protocol="http",response_code="200",grpc_response_status="",response_flags="-",connection_security_policy="mutual_tls"} 18000

    After you reduce the server-side REQUEST_SIZE metric to retain only the response_code dimension, the output becomes:

    istio_request_bytes_sum{response_code="200"} 16550

    Add custom dimensions

    1. In the Metric Settings area, under Client-side Metrics (Gateway and Sidecar Outbound) or Server-side Metrics (Sidecar Inbound), click Edit dimension for the target metric.

    2. In the Customize CLIENT dimension configuration or Customize SERVER dimension configuration dialog box, under Custom Dimension, enter the dimension name and value, and then click Submit.

    Example: After you add request_path as the dimension name and request.path as the dimension value for the server-side REQUEST_SIZE metric, the output includes the new dimension:

    istio_request_bytes_sum{response_code="200",request_path="/spec.json"} 5800

    Configure tracing

    Tracing produces complete distributed traces only when all services in a call chain report spans to the same backend with compatible settings. If sampling rates or reporting endpoints differ between services, traces may be incomplete. For this reason, tracing settings are only available at the global level in versions earlier than 1.24.6.83.

    In version 1.24.6.83 and later, ASM supports namespace-level and workload-level tracing configurations through the Telemetry custom resource. For more information, see Telemetry CRD.

    Set the sampling percentage

    Set the sampling percentage to control the proportion of requests that generate trace reports. A value of 0 disables tracing entirely.

    Add custom tags

    Add custom tags to trace spans for additional context. In the Tracing Analysis Settings section, click Add Custom Tags and configure the Name, Type, and Value.

    The following table describes the available tag types with configuration examples.

    TypeBehaviorExample configuration
    Fixed ValueThe tag always carries the static value you specify.Name: env, Type: Static value, Value: prod
    Request HeaderThe tag value is read from the specified request header. If the header is missing, the default value is used.Name: useragent, Type: Request Header, Header Name: User-Agent, Default Value: unknow
    Environment VariableThe tag value is read from the specified environment variable on the workload. If the variable is missing, the default value is used.Name: env, Type: environment variable, Environment Variable Name: ENV, Default Value: unknown