Envoy's access log and mTLS verification

Istio is some kind of magic. We wanted to enable mTLS between services. Created PeerAuthentication in STRICT mode and BAM - it works. At least it should be working, according to the documentation. Beside of that we can see padlock icons at Grafana and Kiali UI. Nevertheless, I felt like I need some logging/audit proof that our workloads are connecting with each other using mTLS.

I found the topic:

suggesting that I should read Envoy’s access log.

Ok, I’m on it. But wait. This guide Istio / Getting Envoy's Access Logs does not describe how to enable access logs for Helm installation (and that’s the one I need). The term “accessLogFile” occurs only once in regards to the demo profile in following directory istio/manifests at master · istio/istio · GitHub

Can you help me with accessing the access log and/or verifying enabled mTLS? When I send http request from one workload to another in a mesh that’s configured to enforce mTLS, I’d like to know what was the TLS version and cipher suite used when Istio was doing its job, tunnelling http over https