h2olog

This project has been integrated into h2o/h2o.

A varnishlog-like BPF (kernel doc) backed HTTP request logging client for the H2O server. h2olog can also be used to log QUIC events for transport layer observation. See Tracing QUIC events for how.

Installing from Source

See requirements for build prerequisites.

$ cmake -Bbuild
$ make -Cbuild
$ sudo make -Cbuild install

If you have BCC installed to a non-standard path, give its path as -DCMAKE_PREFIX_PATH to cmake.

For convenience, you can alternatively run the make.sh script.

Requirements

For building h2olog

• LLVM and clang (>= 3.7.1)
• CMake for generating the build files
• Python 3 for the code generator
• BCC (>= 0.11.0) installed on your system

For Ubuntu 20.04 or later, you can install dependencies with:

sudo apt install clang cmake python3 systemtap-sdt-dev libbpfcc-dev linux-headers-$(uname -r)

For running h2olog

• Root privilege to execute the program
• H2O server built after 53e1db42 with -DWITH_DTRACE=on cmake option

Quickstart

Root privilege is required to interact with the BPF virtual machine.

$ sudo h2olog -p $(pgrep -o h2o)

11 0 RxProtocol HTTP/3.0
11 0 RxHeader   :authority torumk.com
11 0 RxHeader   :method GET
11 0 RxHeader   :path /
11 0 RxHeader   :scheme https
11 0 TxStatus   200
11 0 TxHeader   content-length 123
11 0 TxHeader   content-type text/html
... and more ...

Tracing QUIC events

Server-side QUIC events can be traced using the quic subcommand. Events are rendered in JSON format.

$ sudo h2olog quic -p $(pgrep -o h2o)
               ^
               |_ The quic subcommand

Here's an example trace.

{"time":1584380825832,"type":"accept","conn":1,"dcid":"f8aa2066e9c3b3cf"}
{"time":1584380825835,"type":"crypto-decrypt","conn":1,"pn":0,"len":1236}
{"time":1584380825832,"type":"quictrace-recv","conn":1,"pn":0}
{"time":1584380825836,"type":"crypto-handshake","conn":1,"ret":0}
... and more ...

Program Anatomy

h2olog is a BCC based C++ program. It was previously implemented using the BCC Python binding.