Send HTTP logs over mTLSv3.15+
Send HTTP logs over mTLS by configuring a client certificate for mutual TLS authentication with the log server.
For a complete how-to guide that shows how to set up a log server with mTLS and send Kong Gateway logs to it, see Configure HTTP logging over mTLS.
Prerequisites
-
You have a log server with mTLS enabled.
-
You have added a client Certificate entity to Kong Gateway containing the certificate and private key to present to the log server.
-
You have configured Kong Gateway to trust the CA that signed the log server’s certificate using
lua_ssl_trusted_certificate.
Environment variables
-
LOG_SERVER_URL: The HTTPS endpoint of the log server that receives Kong Gateway logs. -
CLIENT_CERT_ID: The ID of the client Certificate entity in Kong Gateway.
Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: http-log
config:
http_endpoint: ${{ env "DECK_LOG_SERVER_URL" }}
ssl_verify: true
client_certificate:
id: ${{ env "DECK_CLIENT_CERT_ID" }}
method: POST
timeout: 10000Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
http_endpoint: '$LOG_SERVER_URL'
ssl_verify: true
client_certificate:
id: '$CLIENT_CERT_ID'
method: POST
timeout: 10000
plugin: http-log
" | kubectl apply -f -Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_http_log" "my_http_log" {
enabled = true
config = {
http_endpoint = var.log_server_url
ssl_verify = true
client_certificate = {
id = var.client_cert_id
}
method = "POST"
timeout = 10000
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_cert_id" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: http-log
service: serviceName|Id
config:
http_endpoint: ${{ env "DECK_LOG_SERVER_URL" }}
ssl_verify: true
client_certificate:
id: ${{ env "DECK_CLIENT_CERT_ID" }}
method: POST
timeout: 10000Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
http_endpoint: '$LOG_SERVER_URL'
ssl_verify: true
client_certificate:
id: '$CLIENT_CERT_ID'
method: POST
timeout: 10000
plugin: http-log
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=http-logPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_http_log" "my_http_log" {
enabled = true
config = {
http_endpoint = var.log_server_url
ssl_verify = true
client_certificate = {
id = var.client_cert_id
}
method = "POST"
timeout = 10000
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_cert_id" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: http-log
route: routeName|Id
config:
http_endpoint: ${{ env "DECK_LOG_SERVER_URL" }}
ssl_verify: true
client_certificate:
id: ${{ env "DECK_CLIENT_CERT_ID" }}
method: POST
timeout: 10000Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
http_endpoint: '$LOG_SERVER_URL'
ssl_verify: true
client_certificate:
id: '$CLIENT_CERT_ID'
method: POST
timeout: 10000
plugin: http-log
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=http-logkubectl annotate -n kong ingress konghq.com/plugins=http-logPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_http_log" "my_http_log" {
enabled = true
config = {
http_endpoint = var.log_server_url
ssl_verify = true
client_certificate = {
id = var.client_cert_id
}
method = "POST"
timeout = 10000
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_cert_id" {
type = string
}Add this section to your kong.yaml configuration file:
_format_version: "3.0"
plugins:
- name: http-log
consumer: consumerName|Id
config:
http_endpoint: ${{ env "DECK_LOG_SERVER_URL" }}
ssl_verify: true
client_certificate:
id: ${{ env "DECK_CLIENT_CERT_ID" }}
method: POST
timeout: 10000Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "http-log",
"config": {
"http_endpoint": "'$LOG_SERVER_URL'",
"ssl_verify": true,
"client_certificate": {
"id": "'$CLIENT_CERT_ID'"
},
"method": "POST",
"timeout": 10000
},
"tags": []
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: http-log
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
http_endpoint: '$LOG_SERVER_URL'
ssl_verify: true
client_certificate:
id: '$CLIENT_CERT_ID'
method: POST
timeout: 10000
plugin: http-log
" | kubectl apply -f -Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong kongconsumer CONSUMER_NAME konghq.com/plugins=http-logPrerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_http_log" "my_http_log" {
enabled = true
config = {
http_endpoint = var.log_server_url
ssl_verify = true
client_certificate = {
id = var.client_cert_id
}
method = "POST"
timeout = 10000
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "client_cert_id" {
type = string
}