Enabling router access logging is useful in tracking down mis-configured routes or error from upstream services. Router access logging is not enabled by default in OCP. You can enable it by adding the following to default IngressController.
Warning: Enable access logging only for limited time as it will generate quite a lot of log entries
# oc -n openshift-ingress-operator edit IngressController default
spec:
...
logging:
access:
destination:
type: Container
httpLogFormat: >-
log_source="haproxy-default" log_type="http" c_ip="%ci" c_port="%cp"
req_date="%tr" fe_name_transport="%ft" be_name="%b" server_name="%s"
res_time="%TR" tot_wait_q="%Tw" Tc="%Tc" Tr="%Tr" Ta="%Ta"
status_code="%ST" bytes_read="%B" bytes_uploaded="%U"
captrd_req_cookie="%CC" captrd_res_cookie="%CS" term_state="%tsc"
actconn="%ac" feconn="%fc" beconn="%bc" srv_conn="%sc" retries="%rc"
srv_queue="%sq" backend_queue="%bq" captrd_req_headers="%hr"
captrd_res_headers="%hs" http_request="%r"
Adding spec.logging will restart router pods in openshift-ingress with an additional logs container. You can get the log using the following command.
oc -n openshift-ingress logs router-default-xxx -c logs
You can also update destination.type to Syslog and send logs to a syslog server.