Access logs from your Service Mesh (ASM) data plane provide visibility into request patterns, error rates, and service behavior. In high-traffic environments, unfiltered logging creates overhead on sidecar proxies and produces more data than you can meaningfully analyze.
Common Expression Language (CEL) lets you write filtering rules that control which log entries the sidecar proxy emits. Each CEL expression is evaluated per request -- entries are logged when the expression returns true and dropped when it returns false.
CEL expression examples
The examples below progress from single-condition filters to multi-condition rules.
Filter by response status code
Log only error responses (status code 400 and above):
response.code >= 400response.code is the HTTP status code. This expression drops 1xx, 2xx, and 3xx entries, keeping only client errors (4xx) and server errors (5xx).
Match request URL paths
Log requests where the path contains a specific substring:
request.url_path.contains('login')request.url_path is the HTTP request path without the query string. contains is a standard CEL string method that returns a Boolean.
Combine conditions with logical operators
Build multi-condition filters with && (AND) and || (OR).
AND -- all conditions must match:
request.url_path.contains('login') && request.headers['x-user-type'] == 'dev'Logs requests where the path contains login and the x-user-type header equals dev. request.headers is a map<string, string> of all request headers.
OR -- any condition matches:
request.url_path.contains('login') || request.url_path.contains('logout')Logs requests where the path contains login or logout.
Supported CEL attributes
Request attributes
| Attribute | Type | Description |
|---|---|---|
request.path | string | HTTP URL path with the query string |
request.url_path | string | HTTP URL path without the query string |
request.host | string | Host name from the HTTP URL |
request.scheme | string | URL scheme, such as HTTP or HTTPS |
request.method | string | HTTP method, such as GET or POST |
request.headers | map<string, string> | All request headers |
request.referer | string | Value of the Referer header |
request.useragent | string | Value of the User-Agent header |
request.time | timestamp | Time when the first byte of the request was received |
request.id | string | Value of the x-request-id header |
request.protocol | string | Request protocol, such as HTTP/1.0, HTTP/1, HTTP/2, or HTTP/3 |
request.query | string | URL query string, such as name1=value1&name2=value2 |
request.duration | duration | Total request duration |
request.size | int | Request body size. Uses the Content-Length header value when available. |
request.total_size | int | Total request size, including headers |
Response attributes
| Attribute | Type | Description |
|---|---|---|
response.code | int | HTTP status code |
response.code_details | string | Response status code description |
response.flags | int | Additional response details beyond the HTTP status code, encoded as a bit vector |
response.grpc_status | int | gRPC status code |
response.headers | map<string, string> | All response headers |
response.trailers | map<string, string> | All response trailers |
response.size | int | Response body size |
response.total_size | int | Total response size, including headers |
Downstream connection attributes
| Attribute | Type | Description |
|---|---|---|
source.address | string | Downstream client address |
source.port | int | Downstream client port |
destination.address | string | Destination address of the downstream connection |
destination.port | int | Destination port of the downstream connection |
connection.id | uint | Downstream connection ID |
connection.mtls | bool | Whether mTLS is enabled and the connection carries a client certificate |
connection.requested_server_name | string | Server name requested by the downstream TLS connection (SNI) |
connection.tls_version | string | TLS version of the downstream connection |
connection.subject_local_certificate | string | Subject field of the server certificate |
connection.subject_peer_certificate | string | Subject field of the client certificate |
connection.dns_san_local_certificate | string | First DNS entry in the SAN field of the server certificate |
connection.dns_san_peer_certificate | string | First DNS entry in the SAN field of the client certificate |
connection.uri_san_local_certificate | string | First URI entry in the SAN field of the server certificate |
connection.uri_san_peer_certificate | string | First URI entry in the SAN field of the client certificate |
connection.sha256_peer_certificate_digest | string | SHA256 digest of the client certificate |
connection.transport_failure_reason | string | Transport failure reason, such as certificate validation failure |
Upstream connection attributes
| Attribute | Type | Description |
|---|---|---|
upstream.address | string | Destination address of the upstream connection |
upstream.port | int | Destination port of the upstream connection |
upstream.tls_version | string | TLS version of the upstream connection |
upstream.subject_local_certificate | string | Subject field of the client certificate used for the upstream connection |
upstream.subject_peer_certificate | string | Subject field of the server certificate used for the upstream connection |
upstream.dns_san_local_certificate | string | First DNS entry in the SAN field of the client certificate |
upstream.dns_san_peer_certificate | string | First DNS entry in the SAN field of the server certificate |
upstream.uri_san_local_certificate | string | First URI entry in the SAN field of the client certificate |
upstream.uri_san_peer_certificate | string | First URI entry in the SAN field of the server certificate |
upstream.sha256_peer_certificate_digest | string | SHA256 digest of the server certificate |
upstream.local_address | string | Local address of the upstream connection |
upstream.transport_failure_reason | string | Upstream transport failure reason, such as certificate validation failure |