openshift · jmanthei · Apr 1, 2026 · ocpdocs-vale-bot · Apr 2, 2026
diff --git a/modules/nw-configure-ingress-access-logging.adoc b/modules/nw-configure-ingress-access-logging.adoc
@@ -102,6 +102,36 @@ spec:
       httpLogFormat: '%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV'
 ----
 
+Configure Ingress access logging with HTTPS-specific or TCP-layer log formats.
+
+* Starting in {product-title} 4.22, you can set `spec.logging.access.httpsLogFormat` and `spec.logging.access.tcpLogFormat` in addition to `httpLogFormat`. Use `httpsLogFormat` when you need TLS-related fields for HTTPS traffic such as TLS passthrough routes. Use `tcpLogFormat` to control the format of access logs for TCP connections before TLS is terminated on the ingress controller.
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+  name: default
+  namespace: openshift-ingress-operator
+spec:
+  replicas: 2
+  logging:
+    access:
+      destination:
+        type: Syslog
+        syslog:
+          address: 1.2.3.4
+          port: 10514
+      httpLogFormat: '%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV'
+      httpsLogFormat: '%ci:%cp [%t] %ft %b/%s %B %bq %HM %HU %HV'
+      tcpLogFormat: '%ci:%cp [%t] %ft %b/%s %Tw %Tc %Tt'
+----
++
+[NOTE]
+====
+The example uses the same `httpsLogFormat` string as `httpLogFormat` for illustration. For TLS passthrough routes and other cases where you need TLS-specific fields, build a format string using HAProxy `log-format` rules; see link:http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4[Custom log format] in the HAProxy documentation.
+====
+
 Disable Ingress access logging.
 
 * To disable Ingress access logging, leave `spec.logging` or `spec.logging.access` empty:

diff --git a/modules/nw-ingress-controller-configuration-parameters.adoc b/modules/nw-ingress-controller-configuration-parameters.adoc
@@ -176,6 +176,8 @@ The `AllowedSubjectPatterns` is an optional value that specifies a list of regul
 **** `maxLength` is the maximum length of the syslog message. It must be between `480` and `4096` bytes. If this field is empty, the maximum length is set to the default value of `1024` bytes.
 **** `facility` specifies the syslog facility of log messages. If this field is empty, the facility is `local1`. Otherwise, it must specify a valid syslog facility: `kern`, `user`, `mail`, `daemon`, `auth`, `syslog`, `lpr`, `news`, `uucp`, `cron`, `auth2`, `ftp`, `ntp`, `audit`, `alert`, `cron2`, `local0`, `local1`, `local2`, `local3`. `local4`, `local5`, `local6`, or `local7`.
 ** `httpLogFormat` specifies the format of the log message for an HTTP request. If this field is empty, log messages use the implementation's default HTTP log format. For HAProxy's default HTTP log format, see link:http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.3[the HAProxy documentation].
+** `httpsLogFormat` specifies the format of the log message for HTTPS connections where you need TLS-specific log format variables that `httpLogFormat` does not cover. For example, this applies to TLS passthrough routes, where the ingress controller does not terminate TLS and the connection is not logged as decrypted HTTP traffic. If this field is empty, log messages use the implementation's default format for those HTTPS connections. For custom log format syntax, see link:http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.4[Custom log format] in the HAProxy documentation.
+** `tcpLogFormat` specifies the format of the log message for TCP connections before TLS termination—that is, the TCP front end that receives traffic prior to decryption. Use this field for a consistent TCP-layer access log format in that phase of the connection. If this field is empty, log messages use the implementation's default TCP log format. For HAProxy's default TCP log format, see link:http://cbonte.github.io/haproxy-dconv/2.0/configuration.html#8.2.2[the HAProxy documentation].
 
 |`httpHeaders`
 |`httpHeaders` defines the policy for HTTP headers.

diff --git a/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc b/rest_api/operator_apis/ingresscontroller-operator-openshift-io-v1.adoc
@@ -1855,6 +1855,24 @@ terminates encryption (that is, edge-terminated or reencrypt
 connections).  It does not affect the log format for TLS passthrough
 connections.
 
+| `httpsLogFormat`
+| `string`
+| httpsLogFormat specifies the format of the log message for HTTPS
+connections where TLS-specific log format variables are required that
+httpLogFormat does not cover, such as TLS passthrough routes where the
+ingress controller does not terminate TLS.
+
+If this field is empty, log messages use the implementation's default
+format for those HTTPS connections.
+
+| `tcpLogFormat`
+| `string`
+| tcpLogFormat specifies the format of the log message for TCP connections
+before TLS termination on the ingress controller.
+
+If this field is empty, log messages use the implementation's default
+TCP log format.
+
 | `logEmptyRequests`
 | `string`
 | logEmptyRequests specifies how connections on which no request is