No log entry in ingressgateway access log if TLS handshake error

Hey everybody,

We’ve globally enabled access logging and it generally works ok.
But if the request fails during a TLS handshake we get absolutely nothing in the ingressgateway log.

We can of course enable debugging in the ingressgateway which will tell us what the issue is but for our production system that is not really an option.

When one of our partners experiences some connection issue with our service mesh, we need to be able to:

  • identify the request (at the very least have an entry in the access log if they actually tried to access our ingressgateway)
  • see what the issue is. E.g.
    • handshake error - PEER_DID_NOT_RETURN_A_CERTIFICATE

Is that possible? And if so, how to we enable such logging? I’m thinking it must be a common issue!?

I’ve natually googled / searched forums etc. and I found many related issues (old and new) so I’m more or less thinking it should be resolved? E.g. https://github.com/envoyproxy/envoy/issues/1472

Can anybody provide any insight?
Many thanks in advance.

Best regards
Jesper

Feel free to open a github issue for this if it isnt already available in Istio.

reference this issue https://github.com/envoyproxy/envoy/issues/13563