Skip to content

How to Fix Envoy Access Log Configuration Error

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Envoy Access Log Configuration Error. We cover key concepts, practical examples, and best practices.

Envoy access logs show %REQ(:METHOD)% instead of actual values, or the log file is empty despite requests being proxied — the access log format string is not being parsed or the output path is misconfigured.

The Problem

[2026-06-24T10:00:00Z] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?)% %PROTOCOL%" %RESPONSE_CODE% ...

Raw format strings appear instead of actual request data.

Step-by-Step Fix

Step 1: Configure access log correctly

listeners:
  - name: http-listener
    filter_chains:
      - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              access_log:
                - name: envoy.access_loggers.file
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
                    path: /var/log/envoy/access.log
                    format: "[%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %UPSTREAM_HOST%"

Step 2: Verify log directory permissions

sudo mkdir -p /var/log/envoy
sudo chown envoy:envoy /var/log/envoy

Step 3: Use JSON logging for structured output

format:
  json_format:
    start_time: "%START_TIME%"
    method: "%REQ(:METHOD)%"
    path: "%REQ(X-ENVOY-ORIGINAL-PATH?)%"
    protocol: "%PROTOCOL%"
    response_code: "%RESPONSE_CODE%"
    duration: "%DURATION%"

Step 4: Test access log output

curl http://localhost:10000/test
cat /var/log/envoy/access.log

Prevention Tips

  • Use JSON format for structured log parsing
  • Rotate access logs with logrotate to prevent disk fill
  • Set access_log_flush_interval: 5s for real-time logging
  • Use stdout in container environments: path: /dev/stdout

Common Mistakes with access logs

  1. Non-exhaustive pattern matches that compile with warnings then crash at runtime
  2. Misunderstanding that String is [Char] with poor performance for large text operations
  3. Using foldl instead of foldl' causing stack overflow on large lists

These mistakes appear frequently in real-world ENVOY code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### Why does Envoy access log show raw format strings like %REQ(:METHOD)%?

This happens when the format string is wrapped in a way that Envoy does not parse. Ensure the format is a top-level string field, not nested inside another JSON object. The format must be a plain string in typed_config.

How do I log only errors in Envoy access logs?

Use filter-based access logging: add filter: { not_health_check: true } and response_code_filter: { comparison: { op: GE, value: { nvt: 0, value: 400 } } } inside the access_log config to log only 4xx and 5xx responses.

Can I send Envoy access logs to stdout instead of a file?

Yes, set path: /dev/stdout in the file access logger config. In Docker environments, this is the standard pattern for collecting logs through container logging drivers.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro