Skip to main content
Sumo Logic

Collect Logs for AWS Elastic Load Balancer - Classic

This procedure documents how to enable access to your Amazon Web Services (AWS) Elastic Load Balancing (ELB) logs and ingest them into Sumo Logic.

Log Types

ELB logs are stored as .log files in the buckets you specify when you enable logging.

The process to enable collection for these logs is described in AWS ELB Enable Access Logs.

The logs themselves contain these fields in this order:
datetime, ELB_Server, clientIP, port, backend, backend_port, requestProc, ba_Response, cli_Response, ELB_StatusCode, be_StatusCode, rcvd, send, method, protocol, domain, server_port, path

The log format is described in AWS ELB Access Log Collection.

Prerequisites

  • Enable Elastic Load Balancing logging in your AWS account, using these Sumo Logic instructions. For more information, see AWS ELB documentation. Logging is not enabled in AWS ELB by default.
  • Grant access to an IAM user by following these Sumo Logic instructions.
  • Confirm that logs are being delivered to the Amazon S3 bucket.

To enable logging in AWS

  1. In the AWS Management Console, choose EC2 > Load Balancers.
  2. Under Access Logs, click Edit.
  3. In the Configure Access Logs dialog box, click Enable Access Logs, then choose an Interval and S3 bucket. This is the S3 bucket that will upload logs to Sumo Logic.
  4. Click Save.

Configure a Collector

Configure a Hosted Collector.

Configure a Source

  1. Configure a AWS ELB Source.
  2. Configure the Source fields:
    1. Name. (Required) ELB, for example.
    2. Path. For example, my-bucket/prefix/AWSLogs/123456789012/*.log
    3. Source Category. (Required) ELB_Prod, for example. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Field Extraction Rules

For Field Extraction Rules, use the source category established earlier.

AWS Elastic Load Balancing Logs

parse "* * *:* *:* * * * * * * * \"* *://*:*/* HTTP" as datetime, ELB_Server, clientIP, port, backend, backend_port, requestProc, ba_Response, cli_Response, ELB_StatusCode, be_StatusCode, rcvd, send, method, protocol, domain, server_port, path

Sample Log Message

2017-01-20T23:00:26.059475Z elb-shop-com 10.15.120.181:80 10.34.7.122:80 0.000026 
0.315185 0.000027 200 200 51 1230 "POST https://examplesite.com:443/Common/path HTTP/1.1" 
"Mozilla/5.0 (Safari; Touch) AppleWebKit/537.35+ (HTML, like Gecko) Version/10.3.2.2239 
Mobile Safari/517.35+"

Query Sample

Name - Request by Geolocation

_sourceCategory=elb*
| parse "* * *:* *:* * * * * * * * \"* *://*:*/* HTTP" as f1, elb_server, clientIP, port, backend, backend_port, requestProc, ba_Response, cli_Response, ELB_StatusCode, be_StatusCode, rcvd, send, method, protocol, domain, server_port, path nodrop
| parse "* * *:* *:* * * * * * * * \"-" as f1,elb_server,clientIP,port,backend,backend_port,requestProc,ba_Response,cli_Response,ELB_StatusCode,be_StatusCode,rcvd,send
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = clientIP
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count

Sumo Logic App

Now that you have set up collection for AWS ELB, install the Sumo Logic App for AWS Elastic Load Balancing to use the preconfigured searches and dashboards that provide insight into website visitor behavior patterns, monitors server operations, and assists in troubleshooting issues that span entire web server farms.