Collect Metrics for AWS Elastic Load Balancer Application
Collect Logs for AWS Elastic Load Balancer Application
Before you can begin to use the Sumo Logic App for Application Load Balancing, complete the following steps:
- Grant Sumo Logic access to an Amazon S3 bucket.
Confirm that logs are being delivered to the Amazon S3 bucket.
Add an AWS ALB Source to Sumo Logic.
These configuration instructions apply to log collection from all AWS Source types. Select the correct Source type your specific Source in Step 3. For instructions on collecting CloudWatch metrics from Amazon, see Amazon CloudWatch Source for Metrics.
- In Sumo Logic select Manage Data > Collection > Collection.
- On the Collectors page, click Add Source next to a hosted collector, either an existing hosted collector, or one you have created for this purpose.
- Select your AWS Source type.
- Enter a name to display for the new Source. Description is optional.
- For Bucket Name, enter the exact name of your organization's S3 bucket.
Be sure to double-check the name as it appears in AWS, for example:
- For Path Expression, enter the string that matches the S3 objects you'd like to collect. You can use one wildcard (*) in this string. Recursive path expressions use a single wild card and do NOT use a leading forward slash. See About Amazon Path Expressions for details.
- Collection should begin. Select a collection start time from the menu, or select All Time to collect all logs.
- For Source Category, enter any string to tag the output collected from this Source. (Category metadata is stored in a searchable field called _sourceCategory.)
- For Key ID, enter the AWS Access Key ID number granted to Sumo Logic. (See Granting access to an S3 bucket for more information.)
- For Secret Key, enter the AWS Secret Access Key Sumo Logic should use to access the S3 bucket. (See Granting access to an S3 bucket for more information.)
- For Scan Interval, use the default of 5 minutes. Alternately, enter the frequency Sumo Logic will scan your S3 bucket for new data. To learn more about Scan Interval considerations, see About setting the S3 Scan Interval.
- Set any of the following under Advanced:
- Enable Timestamp Parsing. This option is selected by default. If it's deselected, no timestamp information is parsed at all.
- Time Zone. There are two options for Time Zone. You can use the time zone present in your log files, and then choose an option in case time zone information is missing from a log message. Or, you can have Sumo Logic completely disregard any time zone information present in logs by forcing a time zone. It's very important to have the proper time zone set, no matter which option you choose. If the time zone of logs can't be determined, Sumo Logic assigns logs UTC; if the rest of your logs are from another time zone your search results will be affected.
- Timestamp Format. By default, Sumo Logic will automatically detect the timestamp format of your logs. However, you can manually specify a timestamp format for a Source. See Timestamps, Time Zones, Time Ranges, and Date Formats for more information.
- Enable Multiline Processing. Multiline processing is enabled by default. Use this option if you're working with multi-line messages (for example, log4J or exception stack traces). Deselect this option if you want to avoid unnecessary processing when collecting single-message-per-line files (for example, Linux system.log).
- Infer Boundaries. Enable when you want Sumo Logic to automatically attempt to determine which lines belong to the same message.
If you deselect the Infer Boundaries option, you will need to enter a regular expression in the Boundary Regex field to use for detecting the entire first line of multi-line messages.
- Boundary Regex. You can specify the boundary between messages using a regular expression. Enter a regular expression for the full first line of every multi-line message in your log files. For an example, see the Define Boundary Regex topic.
- Create any Processing Rules you'd like for the AWS Source.
- When you are finished configuring the Source click Save.
Sample Log Message
https 2017-11-20T22:05:36 long-bill-lb 18.104.22.168:41148 10.168.203.134:23662 0.000201 0.401924 0.772005 500 200 262 455 "GET https://elmagek.no-ip.org:443/json/v1/collector/histogram/100105037?startTimestamp=1405571270000&endTimestamp=1405574870000&bucketCount=60&_=1405574870206 HTTP/1.1" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:22.214.171.124) Gecko/2008102920 Firefox/3.0.4" DH-RSA-AES256-GCM-SHA384 TLSv1.2 arn:aws:elasticloadbalancing:us-west-2:104030218370:targetgroup/Prod-frontend/92e3199b1rc814fe9 "Root=1-58337364-23a8c76965a2ef7629b185e134"
Top 10 Client IPs
| parse "* * * * * * * * * * * * \"*\" \"*\" * * * \"*\"" as type, datetime, ELB_Server, client, backend, request_processing_time, target_processing_time, response_processing_time, elb_status_code, target_status_code, received_bytes, sent_bytes, request,user_agent,ssl_cipher,ssl_protocol,target_group_arn,trace_id
| parse field=request "* *://*:*/* HTTP" as method, protocol, domain, server_port, uri
| parse field=target_group_arn "* " as target_group_arn nodrop
| parse field=client "*:*" as clientIP, port nodrop
| parse field=backend "*:*" as backendIP, backend_port nodrop
| fields - request, client, backend
| where (elb_status_code matches "5*") or (elb_status_code matches "4*")
| if (elb_status_code matches "5*",1,0) as elb_5XX
| if (elb_status_code matches "4*",1,0) as elb_4XX
| sum(elb_4XX) as elb_4XX, sum(elb_5XX) as elb_5XX by clientIP | (elb_4xx+elb_5XX) as elb_total
| filter clientIP in (order by elb_total | limit 20)
| order by elb_total | fields - elb_total