antrea-io · antoninbas · Feb 27, 2024 · Feb 21, 2024 · antoninbas · Feb 23, 2024
diff --git a/docs/antrea-l7-network-policy.md b/docs/antrea-l7-network-policy.md
@@ -119,7 +119,7 @@ OPTIONS, CONNECT and PATCH. If not set, the rule matches all methods.
 
 #### More examples
 
-The following NetworkPolicy grants access of privileged URLs to specific clients while make other URLs publicly
+The following NetworkPolicy grants access of privileged URLs to specific clients while making other URLs publicly
 accessible:
 
 ```yaml
@@ -146,7 +146,7 @@ spec:
             path: "/admin/*"
         - http:
             path: "/public/*"
-    - name: for-public   # Allow inbound HTTP GET requests to "/public" from Pods with label "app=client".
+    - name: for-public   # Allow inbound HTTP GET requests to "/public" from everyone.
       action: Allow      # All other inbound traffic will be automatically dropped.
       l7Protocols:
         - http:
@@ -292,9 +292,38 @@ spec:
 
 Layer 7 traffic that matches the NetworkPolicy will be logged in an event
 triggered log file (`/var/log/antrea/networkpolicy/l7engine/eve-YEAR-MONTH-DAY.json`).
-The event type for this log is `alert`. If `enableLogging` is set for the rule,
+Logs are categorized by **event_type**. The event type for allowed traffic is `http`,
+for dropped traffic it is `alert`. If `enableLogging` is set for the rule, dropped
 packets that match the rule will also be logged in addition to the event with
-event type `packet`. Below is an example of the two event types.
+event type `packet`. Below are examples for allow, drop, packet scenarios.
+
+Allow ingress from client (10.10.1.8) to web (10.10.1.7/public/*)
+
+```json
+{
+  "timestamp": "2024-02-22T21:26:07.074791+0000",
+  "flow_id": 757085628206447,
+  "in_iface": "antrea-l7-tap0",
+  "event_type": "http",
+  "vlan": [1],
+  "src_ip": "10.10.1.8",
+  "src_port": 44132,
+  "dest_ip": "10.10.1.7",
+  "dest_port": 80,
+  "proto": "TCP",
+  "tx_id": 0,
+  "http": {
+      "hostname": "10.10.1.7",
+      "url": "/public/main.html",
+      "http_user_agent": "Wget/1.21.1",
+      "http_content_type": "text/html",
+      "http_method": "GET",
+      "protocol": "HTTP/1.1",
+      "status": 404,
+      "length": 153
+  }
+}
+```
 
 Deny ingress from client (10.10.1.5) to web (10.10.1.4/admin)
 
@@ -341,6 +370,8 @@ Deny ingress from client (10.10.1.5) to web (10.10.1.4/admin)
 }
 ```
 
+Additional packet log when `enableLogging` is set
+
 ```json
 {
   "timestamp": "2023-03-09T20:00:28.225016+0000",

diff --git a/pkg/agent/controller/networkpolicy/l7engine/reconciler.go b/pkg/agent/controller/networkpolicy/l7engine/reconciler.go
@@ -76,6 +76,11 @@ outputs:
       types:
         - alert:
             tagged-packets: yes
+        - http:
+            extended: yes
+            tagged-packets: yes
+        - tls:
+            extended: yes
   - eve-log:
       enabled: yes
       filetype: unix_stream