Skip to main content
Sumo Logic

Collect Metrics and Logs for AWS Elastic Load Balancing ULM - Classic

Steps to collect metrics and logs for AWS Elastic Load Balancer Classic.

Collect Metrics for AWS Elastic Load Balancer Classic

To collect AWS Elastic Load Balancing Metrics, perform the following tasks:

  1. Configure a Hosted Collector.
  2. Add a CloudWatch Source for Metrics.

Collect Logs for AWS Elastic Load Balancer Classic


  • Enable Elastic Load Balancing logging in your AWS account, using these Sumo Logic instructions. For more information, see AWS ELB documentation. Logging is not enabled in AWS ELB by default.
  • Grant access to an IAM user by following these Sumo Logic instructions.
  • Confirm that logs are being delivered to the Amazon S3 bucket.

To enable logging in AWS

  1. In the AWS Management Console, choose EC2 > Load Balancers.
  2. Under Access Logs, click Edit.
  3. In the Configure Access Logs dialog box, click Enable Access Logs, then choose an Interval and S3 bucket. This is the S3 bucket that will upload logs to Sumo Logic.
  4. Click Save.

Configure a Collector

Configure a Hosted Collector.

Configure a Source

  1. Configure a AWS ELB Source.
  2. Configure the Source fields:
    1. Name. (Required) ELB, for example.
    2. Path. For example, my-bucket/prefix/AWSLogs/123456789012/*.log
    3. Source Category. (Required) ELB_Prod, for example. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Logs are in UTC by default
    3. Timestamp Format. Auto Detect
  4. Click Save.

Sample Log Message

2017-11-06T23:20:38 stag-www-lb 0.007731 0.214433 0.000261 404 200 3194 123279 "GET HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0" ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2

Query Sample

4XX ELB Status by Client Location

| parse "* * * * * * * * * * * \"*\" \"*\" * *" as datetime, ELB_Server, client, backend, request_processing_time, backend_processing_time, response_processing_time, elb_status_code, backend_status_code, received_bytes, sent_bytes, request,user_agent,ssl_cipher,ssl_protocol
| parse field=request "* *://*:*/* HTTP" as method, protocol, domain, server_port, path nodrop
| parse field=client "*:*" as clientIP, port nodrop
| parse field=backend "*:*" as backendIP, backend_port nodrop
| fields - request, client, backend
| where (elb_status_code matches "4*")
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = clientIP
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count