Observability and troubleshooting
See what's going on in your cluster with network observability tools and detailed logging.
Getting started
Web console tutorial
Tour of the Calico Enterprise Manager UI navbar covering dashboards, Service Graph, policies, alerts, Kibana, and packet capture controls.
Manage alerts
Configure alerts and review alert events for Calico Enterprise features from the Manager UI or CLI. Use built-in templates for visibility and security.
Kibana dashboards and logs
Use Kibana with Calico Enterprise Elasticsearch to explore flow, L7, audit, BGP, DNS, and intrusion detection event logs across managed clusters.
Packet capture
Capture live pod traffic in self-managed Calico Enterprise clusters from Service Graph or the CLI and export pcap files to Wireshark for analysis.
Network visualization
Use Service Graph in the Calico Enterprise Manager UI to visualize namespace, service, and pod communication patterns and investigate traffic flows.
Getting started with logs
Overview
Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs.
Configure data retention
Set retention windows for Calico Enterprise flow, DNS, audit, BGP, L7, snapshot, and compliance report data in the in-cluster LogStorage resource.
Archive logs
Forward Calico Enterprise flow, DNS, audit, and L7 logs to Syslog, Splunk, or Amazon S3 to retain compliance data beyond in-cluster Elasticsearch retention.
Overview
Calico Enterprise deploys an in-cluster Elasticsearch and Kibana stack for flow, DNS, audit, BGP, and L7 logs with workload context, RBAC, and archival to SIEMs.
Configure RBAC for Elasticsearch logs and events
Set fine-grained Kubernetes RBAC permissions in Calico Enterprise to control access to Elasticsearch flow, audit, DNS, and intrusion detection event indices.
BGP logs
Reference of key/value fields in Calico Enterprise BGP activity logs stored in Elasticsearch, with sample queries for IPv4, IPv6, and per-node lookups.
Audit logs
Calico Enterprise audit logs record changes to network policies, tiers, network sets, host endpoints, and other resources for security and compliance review.
Flow logs
Flow log data types
Reference of key/value fields that Calico Enterprise sends to Elasticsearch for flow logs, including endpoints, actions, byte counts, and policy verdicts.
Filter flow logs
Filter Calico Enterprise flow logs through Fluentd to drop low-significance traffic and reduce in-cluster Elasticsearch volume and cost.
Configure flow log aggregation
Tune Calico Enterprise flow log aggregation levels to balance Elasticsearch volume and cost against pod and IP visibility for allowed and denied traffic.
Enable HostEndpoint reporting in flow logs
Turn on host endpoint reporting in Calico Enterprise flow logs to gain visibility into traffic at HostEndpoint interfaces on Kubernetes nodes.
Enable process-level information in flow logs
Add process executable paths and arguments to Calico Enterprise flow logs with eBPF instrumentation for process-level visibility into network activity.
Enabling TCP socket stats in flow logs
Add TCP socket statistics to Calico Enterprise flow logs with eBPF programs that capture round-trip time, retransmits, and other per-socket metrics.
DNS logs
Configure DNS logs
Reference of key/value fields in Calico Enterprise DNS activity logs stored in Elasticsearch, with guidance for constructing client and query lookups.
Filter DNS logs
Suppress low-value Calico Enterprise DNS log entries with Fluentd filters configured through a ConfigMap in the operator namespace.
L7 logs
Configure L7 logs
Deploy Envoy and aggregate Calico Enterprise L7 logs to monitor HTTP traffic patterns between application workloads in self-managed clusters.
L7 log data types
Reference of key/value fields that Calico Enterprise sends to Elasticsearch for L7 logs, including durations, byte counts, and HTTP request metadata.