# Monitor your Application Load Balancers
You can use the following features to monitor your load balancers, analyze traffic patterns, and troubleshoot issues with your load balancers and targets.
**CloudWatch metrics**
You can use Amazon CloudWatch to retrieve statistics about data points for your load balancers and targets as an ordered set of time-series data, known as *metrics*. You can use these metrics to verify that your system is performing as expected. For more information, see [CloudWatch metrics for your Application Load Balancer](load-balancer-cloudwatch-metrics.md).
**Access logs**
You can use access logs to capture detailed information about the requests made to your load balancer and store them as log files in Amazon S3. You can use these access logs to analyze traffic patterns and to troubleshoot issues with your targets. For more information, see [Access logs for your Application Load Balancer](load-balancer-access-logs.md).
**Connection logs**
You can use connection logs to capture attributes about the requests sent to your load balancer, and store them as log files in Amazon S3. You can use these connection logs to determine the client IP address and port, client certificate information, connection results, and TLS ciphers being used. These connection logs can then be used to review request patterns, and other trends. For more information, see [Connection logs for your Application Load Balancer](load-balancer-connection-logs.md).
**Health check logs**
You can use health check logs to capture detailed information about the health checks made to your registered targets for your load balancer and store them as log files in Amazon S3. You can use these health check logs to troubleshoot issues with your targets. For more information, see [Health check logs](load-balancer-health-check-logs.md).
**Request tracing**
You can use request tracing to track HTTP requests. The load balancer adds a header with a trace identifier to each request it receives. For more information, see [Request tracing for your Application Load Balancer](load-balancer-request-tracing.md).
**CloudTrail logs**
You can use AWS CloudTrail to capture detailed information about the calls made to the Elastic Load Balancing API and store them as log files in Amazon S3. You can use these CloudTrail logs to determine which calls were made, the source IP address where the call came from, who made the call, when the call was made, and so on. For more information, see [Log API calls for Elastic Load Balancing using CloudTrail](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/cloudtrail-logs.html).
# CloudWatch metrics for your Application Load Balancer
Elastic Load Balancing publishes data points to Amazon CloudWatch for your load balancers and your targets. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time-series data, known as *metrics*. Think of a metric as a variable to monitor, and the data points as the values of that variable over time. For example, you can monitor the total number of healthy targets for a load balancer over a specified time period. Each data point has an associated time stamp and an optional unit of measurement.
You can use metrics to verify that your system is performing as expected. For example, you can create a CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range.
Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.
Metrics for Application Load Balancers exclude health check requests.
For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
**Topics**
+ [
## Application Load Balancer metrics
](#load-balancer-metrics-alb)
+ [
## Metric dimensions for Application Load Balancers
](#load-balancer-metric-dimensions-alb)
+ [
## Statistics for Application Load Balancer metrics
](#metric-statistics)
+ [
## View CloudWatch metrics for your load balancer
](#view-metric-data)
## Application Load Balancer metrics
+ [Load balancers](#load-balancer-metric-table)
+ [LCUs](#lcu-metric-table)
+ [Targets](#target-metric-table)
+ [Target group health](#target-group-health-metric-table)
+ [Lambda functions](#lambda-metric-table)
+ [User authentication](#user-authentication-metric-table)
+ [Target Optimizer](#target-optimizer-metric-table)
The `AWS/ApplicationELB` namespace includes the following metrics for load balancers.
| Metric | Description |
| --- | --- |
| ActiveConnectionCount | The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| BYoIPUtilPercentage | The percentage of usage from the IP pool. **Reporting criteria**: BYoIP is enabled on the load balancer. **Statistics**: The only meaningful statistic is `Average`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ClientTLSNegotiationErrorCount | The number of TLS connections initiated by the client that did not establish a session with the load balancer due to a TLS error. Possible causes include a mismatch of ciphers or protocols or the client failing to verify the server certificate and closing the connection. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| DesyncMitigationMode\$1NonCompliant\$1Request\$1Count | The number of requests that do not comply with RFC 7230. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| DroppedInvalidHeaderRequestCount | The number of requests where the load balancer removed HTTP headers with header fields that are not valid before routing the request. The load balancer removes these headers only if the `routing.http.drop_invalid_header_fields.enabled` attribute is set to `true`. **Reporting criteria**: There is a nonzero value **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ForwardedInvalidHeaderRequestCount | The number of requests routed by the load balancer that had HTTP headers with header fields that are not valid. The load balancer forwards requests with these headers only if the `routing.http.drop_invalid_header_fields.enabled` attribute is set to `false`. **Reporting criteria**: Always reported **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| GrpcRequestCount | The number of gRPC requests processed over IPv4 and IPv6. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. `Minimum`, `Maximum`, and `Average` all return 1. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTP\$1Fixed\$1Response\$1Count | The number of fixed-response actions that were successful. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTP\$1Redirect\$1Count | The number of redirect actions that were successful. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTP\$1Redirect\$1Url\$1Limit\$1Exceeded\$1Count | The number of redirect actions that couldn't be completed because the URL in the response location header is larger than 8K. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$13XX\$1Count | The number of HTTP 3XX redirection codes that originate from the load balancer. This count does not include response codes generated by targets. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$14XX\$1Count | The number of HTTP 4XX client error codes that originate from the load balancer. This count does not include response codes generated by targets. Client errors are generated when requests are malformed or incomplete. These requests were not received by the target, other than in the case where the load balancer returns an [HTTP 460 error code](load-balancer-troubleshooting.md#http-460-issues). This count does not include any response codes generated by the targets. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. `Minimum`, `Maximum`, and `Average` all return 1. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$15XX\$1Count | The number of HTTP 5XX server error codes that originate from the load balancer. This count does not include any response codes generated by the targets. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. `Minimum`, `Maximum`, and `Average` all return 1. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$1500\$1Count | The number of HTTP 500 error codes that originate from the load balancer. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$1502\$1Count | The number of HTTP 502 error codes that originate from the load balancer. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$1503\$1Count | The number of HTTP 503 error codes that originate from the load balancer. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1ELB\$1504\$1Count | The number of HTTP 504 error codes that originate from the load balancer. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| IPv6ProcessedBytes | The total number of bytes processed by the load balancer over IPv6. This count is included in `ProcessedBytes`. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| IPv6RequestCount | The number of IPv6 requests received by the load balancer. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. `Minimum`, `Maximum`, and `Average` all return 1. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| LowReputationPacketsDropped | The number of packets dropped from known malicious sources. This metric is recorded when a request is blocked by resource-level DDoS protection. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| LowReputationRequestsDenied | The number of HTTP requests denied with an HTTP 403 response. This metric is recorded when a request is blocked by resource-level DDoS protection. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| NewConnectionCount | The total number of new TCP connections established from clients to the load balancer and from the load balancer to targets. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| NonStickyRequestCount | The number of requests where the load balancer chose a new target because it couldn't use an existing sticky session. For example, the request was the first request from a new client and no stickiness cookie was presented, a stickiness cookie was presented but it did not specify a target that was registered with this target group, the stickiness cookie was malformed or expired, or an internal error prevented the load balancer from reading the stickiness cookie. **Reporting criteria**: Stickiness is enabled on the target group. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes | The total number of bytes processed by the load balancer over IPv4 and IPv6 (HTTP header and HTTP payload). This count includes traffic to and from clients and Lambda functions, traffic over Websocket connections, and traffic from an Identity Provider (IdP) if user authentication is enabled. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| RejectedConnectionCount | The number of connections that were rejected because the load balancer had reached its maximum number of connections. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| RequestCount | The number of requests processed over IPv4 and IPv6. This metric is only incremented for requests where the load balancer node was able to choose a target. Requests that are rejected before a target is chosen are not reflected in this metric. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| RuleEvaluations | The number of rules evaluated by the load balancer while processing requests. The default rule is not counted. The 10 free rule evaluations per request are included in this count. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for load balancer capacity units (LCU).
| Metric | Description |
| --- | --- |
| ConsumedLCUs | The number of load balancer capacity units (LCU) used by your load balancer. You pay for the number of LCUs that you use per hour. When LCU reservation is active, ConsumedLCUs will report `0` if usage is below the reserved capacity, and will report values above `0` if usage exceeds the reserved LCUs. For more information, see [Elastic Load Balancing pricing](https://aws.amazon.com/elasticloadbalancing/pricing/). **Reporting criteria**: Always reported **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| PeakLCUs | The maximum number of load balancer capacity units (LCU) used by your load balancer at a given point in time. Only applicable when using LCU Reservation. **Reporting criteria**: Always **Statistics**: The most useful statistics are `Sum` and `Max`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ReservedLCUs | A billing metric that reports the reserved capacity on a per-minute basis. The total ReservedLCUs over any period is the amount of LCUs you will be charged for. For example, if 500 LCUs are reserved for an hour, the per-minute metric will be 8.33 LCUs. For more information, see [Monitor reservation](monitor-capacity-unit-reservation.md). **Reporting criteria**: There is a nonzero value **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for targets.
| Metric | Description |
| --- | --- |
| AnomalousHostCount | The number of hosts detected with anomalies. **Reporting criteria**: Always reported **Statistics**: The only meaningful statistics are `Minimum` and `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HealthyHostCount | The number of targets that are considered healthy. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistics are `Average`, `Minimum`, and `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HTTPCode\$1Target\$12XX\$1Count, HTTPCode\$1Target\$13XX\$1Count, HTTPCode\$1Target\$14XX\$1Count, HTTPCode\$1Target\$15XX\$1Count | The number of HTTP response codes generated by the targets. This does not include any response codes generated by the load balancer. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistic is `Sum`. `Minimum`, `Maximum`, and `Average` all return 1. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| MitigatedHostCount | The number of targets under mitigation. **Reporting criteria**: Always reported **Statistics**: The most useful statistics are `Average`, `Minimum`, and `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| RequestCountPerTarget | The average request count per target, in a target group. You must specify the target group using the `TargetGroup` dimension. This metric does not apply if the target is a Lambda function. This count uses the total number of requests received by the target group, divided by the number of healthy targets in the target group. If there are no healthy targets in the target group, it is divided by the total number of registered targets. **Reporting criteria**: Always reported **Statistics**: The only valid statistic is `Sum`. This represents the average not the sum. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetConnectionErrorCount | The number of connections that were not successfully established between the load balancer and target. This metric does not apply if the target is a Lambda function. This metric is not incremented for unsuccessful health check connections. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetResponseTime | The time elapsed, in seconds, after the request leaves the load balancer until the target starts to send the response headers. This is equivalent to the `target_processing_time` field in the access logs. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistics are `Average` and `pNN.NN` (percentiles). [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetTLSNegotiationErrorCount | The number of TLS connections initiated by the load balancer that did not establish a session with the target. Possible causes include a mismatch of ciphers or protocols. This metric does not apply if the target is a Lambda function. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| UnHealthyHostCount | The number of targets that are considered unhealthy. When you deregister a target, this decreases `HealthyHostCount` but does not increase `UnhealthyHostCount`. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistics are `Average`, `Minimum`, and `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ZonalShiftedHostCount | The number of targets that are considered disabled due to zonal shift. **Reporting criteria**: Reported when there is a value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for target group health. For more information, see [Target group health](load-balancer-target-groups.md#target-group-health).
| Metric | Description |
| --- | --- |
| HealthyStateDNS | The number of zones that meet the DNS healthy state requirements. **Statistics**: The most useful statistic is `Max`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| HealthyStateRouting | The number of zones that meet the routing healthy state requirements. **Statistics**: The most useful statistic is `Max`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| UnhealthyRoutingRequestCount | The number of requests that are routed using the routing failover action (fail open). **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| UnhealthyStateDNS | The number of zones that do not meet the DNS healthy state requirements and therefore were marked unhealthy in DNS. **Statistics**: The most useful statistic is `Min`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| UnhealthyStateRouting | The number of zones that do not meet the routing healthy state requirements, and therefore the load balancer distributes traffic to all targets in the zone, including the unhealthy targets. **Statistics**: The most useful statistic is `Min`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for Lambda functions that are registered as targets.
| Metric | Description |
| --- | --- |
| LambdaInternalError | The number of requests to a Lambda function that failed because of an issue internal to the load balancer or AWS Lambda. To get the error reason codes, check the error\$1reason field of the access log. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| LambdaTargetProcessedBytes | The total number of bytes processed by the load balancer for requests to and responses from a Lambda function. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| LambdaUserError | The number of requests to a Lambda function that failed because of an issue with the Lambda function. For example, the load balancer did not have permission to invoke the function, the load balancer received JSON from the function that is malformed or missing required fields, or the size of the request body or response exceeded the maximum size of 1 MB. To get the error reason codes, check the error\$1reason field of the access log. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for user authentication.
| Metric | Description |
| --- | --- |
| ELBAuthError | The number of user authentications that could not be completed because an authenticate action was misconfigured, the load balancer couldn't establish a connection with the IdP, or the load balancer couldn't complete the authentication flow due to an internal error. To get the error reason codes, check the error\$1reason field of the access log. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ELBAuthFailure | The number of user authentications that could not be completed because the IdP denied access to the user or an authorization code was used more than once. To get the error reason codes, check the error\$1reason field of the access log. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ELBAuthLatency | The time elapsed, in milliseconds, to query the IdP for the ID token and user info. If one or more of these operations fail, this is the time to failure. **Reporting criteria**: There is a nonzero value **Statistics**: All statistics are meaningful. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ELBAuthRefreshTokenSuccess | The number of times the load balancer successfully refreshed user claims using a refresh token provided by the IdP. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ELBAuthSuccess | The number of authenticate actions that were successful. This metric is incremented at the end of the authentication workflow, after the load balancer has retrieved the user claims from the IdP. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| ELBAuthUserClaimsSizeExceeded | The number of times that a configured IdP returned user claims that exceeded 11K bytes in size. **Reporting criteria**: There is a nonzero value **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
The `AWS/ApplicationELB` namespace includes the following metrics for target optimizer.
| Metric | Description |
| --- | --- |
| TargetControlRequestCount | Number of requests forwarded by ALB to agents. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlRequestRejectCount | Number of requests rejected by ALB due to no targets being ready to receive requests. This metric shows an uptick when TargetControlWorkQueueLength is zero. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlActiveChannelCount | Number of active control channels between ALB and agents. For a load balancer, this should be equal to the number of agents. A lower than expected number indicates that agents are not configured properly or are not available. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlNewChannelCount | Number of new control channels created between ALB and agents. You will see an uptick in this metric when a new target with the agent installed is successfully added to the target group. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlChannelErrorCount | Number of control channels between ALB and agents that failed to establish or experienced an unexpected error. A control channel error will result in that agent (and target) not receiving any application traffic. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlWorkQueueLength | Number of signals received by the ALB from agents asking for requests. This data comes from snapshots taken at 1-minute intervals. Sub-minute changes are not captured. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The only meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
| TargetControlProcessedBytes | Number of bytes processed by ALB for traffic to target groups that enable target optimizer. **Reporting criteria**: Target optimizer is enabled on a target group and there is a nonzero value. **Statistics**: The most meaningful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html) |
## Metric dimensions for Application Load Balancers
To filter the metrics for your Application Load Balancer, use the following dimensions.
| Dimension | Description |
| --- | --- |
| AvailabilityZone | Filters the metric data by Availability Zone. |
| LoadBalancer | Filters the metric data by load balancer. Specify the load balancer as follows: app/*load-balancer-name*/*1234567890123456* (the final portion of the load balancer ARN). |
| TargetGroup | Filters the metric data by target group. Specify the target group as follows: targetgroup/*target-group-name*/*1234567890123456* (the final portion of the target group ARN). |
## Statistics for Application Load Balancer metrics
CloudWatch provides statistics based on the metric data points published by Elastic Load Balancing. Statistics are metric data aggregations over specified period of time. When you request statistics, the returned data stream is identified by the metric name and dimension. A dimension is a name-value pair that uniquely identifies a metric. For example, you can request statistics for all the healthy EC2 instances behind a load balancer launched in a specific Availability Zone.
The `Minimum` and `Maximum` statistics reflect the minimum and maximum values of the data points reported by the individual load balancer nodes in each sampling window. For example, suppose there are 2 load balancer nodes that make up the Application Load Balancer. One node has `HealthyHostCount` with a `Minimum` of 2, a `Maximum` of 10, and an `Average` of 6, while the other node has `HealthyHostCount` with a `Minimum` of 1, a `Maximum` of 5, and an `Average` of 3. Therefore, the load balancer has a `Minimum` of 1, a `Maximum` of 10, and an `Average` of about 4.
We recommend you monitor for non-zero `UnHealthyHostCount` in the `Minimum` statistic, and alarm on non-zero value for more than one data point. Using the `Minimum` will detect when targets are considered unhealthy by every node and Availability Zone of your load balancer. Alarming on `Average` or `Maximum` is useful if you want to be alerted to potential problems, and we recommend customers review this metric and investigate non-zero occurrences. Mitigating failures automatically can be done following best practices of using load balancer health check in Amazon EC2 Auto Scaling, or Amazon Elastic Container Service (Amazon ECS).
The `Sum` statistic is the aggregate value across all load balancer nodes. Because metrics include multiple reports per period, `Sum` is only applicable to metrics that are aggregated across all load balancer nodes.
The `SampleCount` statistic is the number of samples measured. Because metrics are gathered based on sampling intervals and events, this statistic is typically not useful. For example, with `HealthyHostCount`, `SampleCount` is based on the number of samples that each load balancer node reports, not the number of healthy hosts.
A percentile indicates the relative standing of a value in a data set. You can specify any percentile, using up to two decimal places (for example, p95.45). For example, the 95th percentile means that 95 percent of the data is below this value and 5 percent is above. Percentiles are often used to isolate anomalies. For example, suppose that an application serves the majority of requests from a cache in 1-2 ms, but in 100-200 ms if the cache is empty. The maximum reflects the slowest case, around 200 ms. The average doesn't indicate the distribution of the data. Percentiles provide a more meaningful view of the application's performance. By using the 99th percentile as an Auto Scaling trigger or a CloudWatch alarm, you can target that no more than 1 percent of requests take longer than 2 ms to process.
## View CloudWatch metrics for your load balancer
You can view the CloudWatch metrics for your load balancers using the Amazon EC2 console. These metrics are displayed as monitoring graphs. The monitoring graphs show data points if the load balancer is active and receiving requests.
Alternatively, you can view metrics for your load balancer using the CloudWatch console.
**To view metrics using the console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. To view metrics filtered by target group, do the following:
1. In the navigation pane, choose **Target Groups**.
1. Select your target group, and then choose the **Monitoring** tab.
1. (Optional) To filter the results by time, select a time range from **Showing data for**.
1. To get a larger view of a single metric, select its graph.
1. To view metrics filtered by load balancer, do the following:
1. In the navigation pane, choose **Load Balancers**.
1. Select your load balancer, and then choose the **Monitoring** tab.
1. (Optional) To filter the results by time, select a time range from **Showing data for**.
1. To get a larger view of a single metric, select its graph.
**To view metrics using the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. Select the **ApplicationELB** namespace.
1. (Optional) To view a metric across all dimensions, enter its name in the search field.
1. (Optional) To filter by dimension, select one of the following:
+ To display only the metrics reported for your load balancers, choose **Per AppELB Metrics**. To view the metrics for a single load balancer, enter its name in the search field.
+ To display only the metrics reported for your target groups, choose **Per AppELB, per TG Metrics**. To view the metrics for a single target group, enter its name in the search field.
+ To display only the metrics reported for your load balancers by Availability Zone, choose **Per AppELB, per AZ Metrics**. To view the metrics for a single load balancer, enter its name in the search field. To view the metrics for a single Availability Zone, enter its name in the search field.
+ To display only the metrics reported for your load balancers by Availability Zone and target group, choose **Per AppELB, per AZ, per TG Metrics**. To view the metrics for a single load balancer, enter its name in the search field. To view the metrics for a single target group, enter its name in the search field. To view the metrics for a single Availability Zone, enter its name in the search field.
**To view metrics using the AWS CLI**
Use the following [list-metrics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/list-metrics.html) command to list the available metrics:
```
aws cloudwatch list-metrics --namespace AWS/ApplicationELB
```
**To get the statistics for a metric using the AWS CLI**
Use the following [get-metric-statistics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/get-metric-statistics.html) command get statistics for the specified metric and dimension. CloudWatch treats each unique combination of dimensions as a separate metric. You can't retrieve statistics using combinations of dimensions that were not specially published. You must specify the same dimensions that were used when the metrics were created.
```
aws cloudwatch get-metric-statistics --namespace AWS/ApplicationELB \
--metric-name UnHealthyHostCount --statistics Average --period 3600 \
--dimensions Name=LoadBalancer,Value=app/my-load-balancer/50dc6c495c0c9188 \
Name=TargetGroup,Value=targetgroup/my-targets/73e2d6bc24d8a067 \
--start-time 2016-04-18T00:00:00Z --end-time 2016-04-21T00:00:00Z
```
The following is example output:
```
{
"Datapoints": [
{
"Timestamp": "2016-04-18T22:00:00Z",
"Average": 0.0,
"Unit": "Count"
},
{
"Timestamp": "2016-04-18T04:00:00Z",
"Average": 0.0,
"Unit": "Count"
},
...
],
"Label": "UnHealthyHostCount"
}
```
# Access logs for your Application Load Balancer
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.
Access logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logs for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logs at any time.
You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3. For more information about storage costs, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
**Topics**
+ [
## Access log files
](#access-log-file-format)
+ [
## Access log entries
](#access-log-entry-format)
+ [
## Example log entries
](#access-log-entry-examples)
+ [
## Configure log delivery notifications
](#access-log-event-notifications)
+ [
## Processing access log files
](#log-processing-tools)
+ [Enable access logs](enable-access-logging.md)
+ [Disable access logs](disable-access-logging.md)
## Access log files
Elastic Load Balancing publishes a log file for each load balancer node every 5 minutes. Log delivery is eventually consistent. The load balancer can deliver multiple logs for the same period. This usually happens if the site has high traffic.
The file names of the access logs use the following format:
```
bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_app.load-balancer-id_end-time_ip-address_random-string.log.gz
```
*bucket*
The name of the S3 bucket.
*prefix*
(Optional) The prefix (logical hierarchy) for the bucket. The prefix that you specify must not include the string `AWSLogs`. For more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html).
`AWSLogs`
We add the portion of the file name starting with `AWSLogs` after the bucket name and optional prefix that you specify.
*aws-account-id*
The AWS account ID of the owner.
*region*
The Region for your load balancer and S3 bucket.
*yyyy*/*mm*/*dd*
The date that the log was delivered.
*load-balancer-id*
The resource ID of the load balancer. If the resource ID contains any forward slashes (/), they are replaced with periods (.).
*end-time*
The date and time that the logging interval ended. For example, an end time of 20140215T2340Z contains entries for requests made between 23:35 and 23:40 in UTC or Zulu time.
*ip-address*
The IP address of the load balancer node that handled the request. For an internal load balancer, this is a private IP address.
*random-string*
A system-generated random string.
The following is an example log file name with a prefix:
```
s3://amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
The following is an example log file name without a prefix:
```
s3://amzn-s3-demo-logging-bucket/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. For more information, see [Object lifecycle management](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*.
## Access log entries
Elastic Load Balancing logs requests sent to the load balancer, including requests that never made it to the targets. For example, if a client sends a malformed request, or there are no healthy targets to respond to the request, the request is still logged.
Each log entry contains the details of a single request (or connection in the case of WebSockets) made to the load balancer. For WebSockets, an entry is written only after the connection is closed. If the upgraded connection can't be established, the entry is the same as for an HTTP or HTTPS request.
**Important**
Elastic Load Balancing logs requests on a best-effort basis. We recommend that you use access logs to understand the nature of the requests, not as a complete accounting of all requests.
**Topics**
+ [
### Syntax
](#access-log-entry-syntax)
+ [
### Actions taken
](#actions-taken)
+ [
### Classification reasons
](#classification-reasons)
+ [
### Error reason codes
](#error-reason-codes)
+ [
### Transform status codes
](#transform-status-codes)
### Syntax
The following table describes the fields of an access log entry, in order. All fields are delimited by spaces. When we add a new field, we add it to the end of the log entry. As we prepare to release a new field, you might see an additional trailing "-" before the field is released. Ensure that you configure log parsing to stop after the last documented field, and update log parsing after we release a new field.
| Field (position) | Description |
| --- | --- |
| type (1) | The type of request or connection. The possible values are as follows (ignore any other values): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) |
| time (2) | The time when the load balancer generated a response to the client, in ISO 8601 format. For WebSockets, this is the time when the connection is closed. |
| elb (3) | The resource ID of the load balancer. If you are parsing access log entries, note that resources IDs can contain forward slashes (/). |
| client:port (4) | The IP address and port of the requesting client. If there is a proxy in front of the load balancer, this field contains the IP address of the proxy. |
| target:port (5) | The IP address and port of the target that processed this request. If the client didn't send a full request, the load balancer can't dispatch the request to a target, and this value is set to -. If the target is a Lambda function, this value is set to -. If the request is blocked by AWS WAF, this value is set to -. |
| request\$1processing\$1time (6) | The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the request until the time it sent the request to a target. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if a TCP connection cannot be established with the target before reaching the 10-second TCP connection timeout. If AWS WAF is enabled for your Application Load Balancer or the target type is a Lambda function, the time it takes for the client to send the required data for POST requests is counted towards `request_processing_time`. |
| target\$1processing\$1time (7) | The total time elapsed (in seconds, with millisecond precision) from the time the load balancer sent the request to a target until the target started to send the response headers. This value is set to -1 if the load balancer can't dispatch the request to a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. This value can also be set to -1 if the registered target does not respond before the idle timeout. If AWS WAF is not enabled for your Application Load Balancer, the time it takes for the client to send the required data for POST requests is counted towards `target_processing_time`. |
| response\$1processing\$1time (8) | The total time elapsed (in seconds, with millisecond precision) from the time the load balancer received the response header from the target until it started to send the response to the client. This includes both the queuing time at the load balancer and the connection acquisition time from the load balancer to the client. This value is set to -1 if the load balancer doesn't receive a response from a target. This can happen if the target closes the connection before the idle timeout or if the client sends a malformed request. |
| elb\$1status\$1code (9) | The status code of the response generated by the load balancer, fixed response rule, or AWS WAF custom response code for Block actions. |
| target\$1status\$1code (10) | The status code of the response from the target. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to -. |
| received\$1bytes (11) | The size of the request, in bytes, received from the client (requester). For HTTP requests, this includes the headers. For WebSockets, this is the total number of bytes received from the client on the connection. |
| sent\$1bytes (12) | The size of the response, in bytes, sent to the client (requester). For HTTP requests, this includes the response headers and body. For WebSockets, this is the total number of bytes sent to the client on the connection. The TCP headers and TLS handshake payload are not included in `sent_bytes`. Therefore `sent_bytes` won't match `DataTransfer-Out-Bytes` in AWS Cost Explorer. |
| "request\$1line" (13) | The request line from the client, enclosed in double quotes and logged using the following format: HTTP method \$1 protocol://host:port/uri \$1 HTTP version. The load balancer preserves the URL sent by the client, as is, when recording the request URI. It does not set the content type for the access log file. When you process this field, consider how the client sent the URL. |
| "user\$1agent" (14) | A User-Agent string that identifies the client that originated the request, enclosed in double quotes. The string consists of one or more product identifiers, product[/version]. If the string is longer than 8 KB, it is truncated. |
| ssl\$1cipher (15) | [HTTPS listener] The SSL cipher. This value is set to - if the listener is not an HTTPS listener. |
| ssl\$1protocol (16) | [HTTPS listener] The SSL protocol. This value is set to - if the listener is not an HTTPS listener. |
| target\$1group\$1arn (17) | The Amazon Resource Name (ARN) of the target group. |
| "trace\$1id" (18) | The contents of the **X-Amzn-Trace-Id** header, enclosed in double quotes. |
| "domain\$1name" (19) | [HTTPS listener] The SNI domain provided by the client during the TLS handshake, enclosed in double quotes. This value is set to - if the client doesn't support SNI or the domain doesn't match a certificate and the default certificate is presented to the client. |
| "chosen\$1cert\$1arn" (20) | [HTTPS listener] The ARN of the certificate presented to the client, enclosed in double quotes. This value is set to `session-reused` if the session is reused. This value is set to - if the listener is not an HTTPS listener. |
| matched\$1rule\$1priority (21) | The priority value of the rule that matched the request. If a rule matched, this is a value from 1 to 50,000. If no rule matched and the default action was taken, this value is set to 0. If an error occurs during rules evaluation, it is set to -1. For any other error, it is set to -. |
| request\$1creation\$1time (22) | The time when the load balancer received the request from the client, in ISO 8601 format. |
| "actions\$1executed" (23) | The actions taken when processing the request, enclosed in double quotes. This value is a comma-separated list that can include the values described in [Actions taken](#actions-taken). If no action was taken, such as for a malformed request, this value is set to -. |
| "redirect\$1url" (24) | The URL of the redirect target for the location header of the HTTP response, enclosed in double quotes. If no redirect actions were taken, this value is set to -. |
| "error\$1reason" (25) | The error reason code, enclosed in double quotes. If the request failed, this is one of the error codes described in [Error reason codes](#error-reason-codes). If the actions taken do not include an authenticate action or the target is not a Lambda function, this value is set to -. |
| "target:port\$1list" (26) | A space-delimited list of IP addresses and ports for the targets that processed this request, enclosed in double quotes. Currently, this list can contain one item and it matches the target:port field. If the client didn't send a full request, the load balancer can't dispatch the request to a target, and this value is set to -. If the target is a Lambda function, this value is set to -. If the request is blocked by AWS WAF, this value is set to -. |
| "target\$1status\$1code\$1list" (27) | A space-delimited list of status codes from the responses of the targets, enclosed in double quotes. Currently, this list can contain one item and it matches the target\$1status\$1code field. This value is recorded only if a connection was established to the target and the target sent a response. Otherwise, it is set to -. |
| "classification" (28) | The classification for desync mitigation, enclosed in double quotes. If the request does not comply with RFC 7230, the possible values are Acceptable, Ambiguous, and Severe. If the request complies with RFC 7230, this value is set to -. |
| "classification\$1reason" (29) | The classification reason code, enclosed in double quotes. If the request does not comply with RFC 7230, this is one of the classification codes described in [Classification reasons](#classification-reasons). If the request complies with RFC 7230, this value is set to -. |
| conn\$1trace\$1id (30) | The connection traceability ID is a **unique opaque ID** used to identify each connection. After a connection is established with a client, subsequent requests from this client will contain this ID in their respective access log entries. This ID acts as a foreign key to create a link between the connection and access logs. |
| "transformed\$1host" (31) | The host header after it is modified by a host header rewrite transform. If any of the following are true, this value is set to -. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) |
| "transformed\$1uri" (32) | The URI after it is modified by a URL rewrite transform. If any of the following are true, this value is set to -. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html) |
| "request\$1transform\$1status" (33) | The status of the rewrite transform. If no rewrite transform was applied, this value is set to -. Otherwise, this value is one of the status values described in [Transform status codes](#transform-status-codes). |
### Actions taken
The load balancer stores the actions that it takes in the actions\$1executed field of the access log.
+ `authenticate` — The load balancer validated the session, authenticated the user, and added the user information to the request headers, as specified by the rule configuration.
+ `fixed-response` — The load balancer issued a fixed response, as specified by the rule configuration.
+ `forward` — The load balancer forwarded the request to a target, as specified by the rule configuration.
+ `redirect` — The load balancer redirected the request to another URL, as specified by the rule configuration.
+ `rewrite` — The load balancer rewrote the request URL, as specified by the rule configuration.
+ `waf` — The load balancer forwarded the request to AWS WAF to determine whether the request should be forwarded to the target. If this is the final action, AWS WAF determined that the request should be rejected. By default, requests rejected by AWS WAF will be logged as "403" in the `elb_status_code` field. When AWS WAF is configured to reject requests with a Custom Response Code, the `elb_status_code` field will reflect the configured response code.
+ `waf-failed` — The load balancer attempted to forward the request to AWS WAF, but this process failed.
### Classification reasons
If a request does not comply with RFC 7230, the load balancer stores one of the following codes in the classification\$1reason field of the access log. For more information, see [Desync mitigation mode](edit-load-balancer-attributes.md#desync-mitigation-mode).
| Code | Description | Classification |
| --- | --- | --- |
| `AmbiguousUri` | The request URI contains control characters. | Ambiguous |
| `BadContentLength` | The Content-Length header contains a value that cannot be parsed or is not a valid number. | Severe |
| `BadHeader` | A header contains a null character or carriage return. | Severe |
| `BadTransferEncoding` | The Transfer-Encoding header contains a bad value. | Severe |
| `BadUri` | The request URI contains a null character or carriage return. | Severe |
| `BadMethod` | The request method is malformed. | Severe |
| `BadVersion` | The request version is malformed. | Severe |
| `BothTeClPresent` | The request contains both a Transfer-Encoding header and a Content-Length header. | Ambiguous |
| `DuplicateContentLength` | There are multiple Content-Length headers with the same value. | Ambiguous |
| `EmptyHeader` | A header is empty or there is a line with only spaces. | Ambiguous |
| `GetHeadZeroContentLength` | There is a Content-Length header with a value of 0 for a GET or HEAD request. | Acceptable |
| `MultipleContentLength` | There are multiple Content-Length headers with different values. | Severe |
| `MultipleTransferEncodingChunked` | There are multiple Transfer-Encoding: chunked headers. | Severe |
| `NonCompliantHeader` | A header contains a non-ASCII or control character. | Acceptable |
| `NonCompliantVersion` | The request version contains a bad value. | Acceptable |
| `SpaceInUri` | The request URI contains a space that is not URL encoded. | Acceptable |
| `SuspiciousHeader` | There is a header that can be normalized to Transfer-Encoding or Content-Length using common text normalization techniques. | Ambiguous |
| `SuspiciousTeClPresent` | The request contains both a Transfer-Encoding header and a Content-Length header, with at least one of them being suspicious. | Severe |
| `UndefinedContentLengthSemantics` | There is a Content-Length header defined for a GET or HEAD request. | Ambiguous |
| `UndefinedTransferEncodingSemantics` | There is a Transfer-Encoding header defined for a GET or HEAD request. | Ambiguous |
### Error reason codes
If the load balancer cannot complete an authenticate action, the load balancer stores one of the following reason codes in the error\$1reason field of the access log. The load balancer also increments the corresponding CloudWatch metric. For more information, see [Authenticate users using an Application Load Balancer](listener-authenticate-users.md).
| Code | Description | Metric |
| --- | --- | --- |
| `AuthInvalidCookie` | The authentication cookie is not valid. | `ELBAuthFailure` |
| `AuthInvalidGrantError` | The authorization grant code from the token endpoint is not valid. | `ELBAuthFailure` |
| `AuthInvalidIdToken` | The ID token is not valid. | `ELBAuthFailure` |
| `AuthInvalidStateParam` | The state parameter is not valid. | `ELBAuthFailure` |
| `AuthInvalidTokenResponse` | The response from the token endpoint is not valid. | `ELBAuthFailure` |
| `AuthInvalidUserinfoResponse` | The response from the user info endpoint is not valid. | `ELBAuthFailure` |
| `AuthMissingCodeParam` | The authentication response from the authorization endpoint is missing a query parameter named 'code'. | `ELBAuthFailure` |
| `AuthMissingHostHeader` | The authentication response from the authorization endpoint is missing a host header field. | `ELBAuthError` |
| `AuthMissingStateParam` | The authentication response from the authorization endpoint is missing a query parameter named 'state'. | `ELBAuthFailure` |
| `AuthTokenEpRequestFailed` | There is an error response (non-2XX) from the token endpoint. | `ELBAuthError` |
| `AuthTokenEpRequestTimeout` | The load balancer is unable to communicate with the token endpoint, or the token endpoint is not responding within 5 seconds. | `ELBAuthError` |
| `AuthUnhandledException` | The load balancer encountered an unhandled exception. | `ELBAuthError` |
| `AuthUserinfoEpRequestFailed` | There is an error response (non-2XX) from the IdP user info endpoint. | `ELBAuthError` |
| `AuthUserinfoEpRequestTimeout` | The load balancer is unable to communicate with the IdP user info endpoint, or the user info endpoint is not responding within 5 seconds. | `ELBAuthError` |
| `AuthUserinfoResponseSizeExceeded` | The size of the claims returned by the IdP exceeded 11K bytes. | `ELBAuthUserClaimsSizeExceeded` |
If the load balancer cannot complete an jwt-validation action, the load balancer stores one of the following reason codes in the error\$1reason field of the access log. The load balancer also increments the corresponding CloudWatch metric. For more information, see [Verify JWTs using an Application Load Balancer](listener-verify-jwt.md).
| Code | Description | Metric |
| --- | --- | --- |
| `JWTHeaderNotPresent` | Request does not contain Authorization header. | `JWTValidationFailureCount` |
| `JWTRequestFormatInvalid` | Token in request is malformed or missing mandatory parts (header, payload, or signature), Header does not contain "Bearer " prefix, Header contains a different auth type like "Basic ", Authorization header is present but token is not present, if there are multiple tokens present in the request | `JWTValidationFailureCount` |
| `JWKSRequestTimeout` | The load balancer is unable to communicate with the JWKS endpoint, or the JWKS endpoint is not responding within 5 seconds. | `JWTValidationFailureCount` |
| `JWKSResponseSizeExceeded` | The size of the response returned by the JWKS endpoint exceeds 150KB or the number of keys returned by the JWKS endpoint exceeds 10. | `JWTValidationFailureCount` |
| `JWKSRequestFailed` | There is an error response (non-2XX) from the JWKS endpoint. | `JWTValidationFailureCount` |
| `JWKSResponseInvalid` | JWKS response has one or more of the following problems: Non-JSON format, Invalid characters, Invalid JWKS format, Missing/invalid mandatory JWKS attributes, Public key has unsupported algorithm, the public key could not be converted to a decoding key, public key size was not 2K. | `JWTValidationFailureCount` |
| `JWTSignatureValidationError` | Failed to validate token signature for any reason including signature does not match, Token is signed with an unsupported algorithm, The KID in the token is not present in the JWKS endpoint. | `JWTValidationFailureCount` |
| `JWTClaimNotPresent` | JWT in the client request does not contain a claim which is required for validation | `JWTValidationFailureCount` |
| `JWTClaimFormatInvalid` | The format of the claim’s value in the JWT does not match the format specified in the configuration | `JWTValidationFailureCount` |
| `JWTClaimValueInvalid` | The value of the claim in the JWT is invalid. | `JWTValidationFailureCount` |
| `JWTValidationInternalError` | The load balancer encountered an unexpected error while validating the JWT in the client request. | `JWTValidationFailureCount` |
If a request to a weighted target group fails, the load balancer stores one of the following error codes in the error\$1reason field of the access log.
| Code | Description |
| --- | --- |
| `AWSALBTGCookieInvalid` | The AWSALBTG cookie, which is used with weighted target groups, is not valid. For example, the load balancer returns this error when cookie values are URL encoded. |
| `WeightedTargetGroupsUnhandledException` | The load balancer encountered an unhandled exception. |
If a request to a Lambda function fails, the load balancer stores one of the following reason codes in the error\$1reason field of the access log. The load balancer also increments the corresponding CloudWatch metric. For more information, see the Lambda [Invoke](https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html) action.
| Code | Description | Metric |
| --- | --- | --- |
| `LambdaAccessDenied` | The load balancer did not have permission to invoke the Lambda function. | `LambdaUserError` |
| `LambdaBadRequest` | Lambda invocation failed because the client request headers or body did not contain only UTF-8 characters. | `LambdaUserError` |
| `LambdaConnectionError` | The load balancer cannot connect to Lambda. | `LambdaInternalError` |
| `LambdaConnectionTimeout` | An attempt to connect to Lambda timed out. | `LambdaInternalError` |
| `LambdaEC2AccessDeniedException` | Amazon EC2 denied access to Lambda during function initialization. | `LambdaUserError` |
| `LambdaEC2ThrottledException` | Amazon EC2 throttled Lambda during function initialization. | `LambdaUserError` |
| `LambdaEC2UnexpectedException` | Amazon EC2 encountered an unexpected exception during function initialization. | `LambdaUserError` |
| `LambdaENILimitReachedException` | Lambda couldn't create a network interface in the VPC specified in the configuration of the Lambda function because the limit for network interfaces was exceeded. | `LambdaUserError` |
| `LambdaInvalidResponse` | The response from the Lambda function is malformed or is missing required fields. | `LambdaUserError` |
| `LambdaInvalidRuntimeException` | The specified version of the Lambda runtime is not supported. | `LambdaUserError` |
| `LambdaInvalidSecurityGroupIDException` | The security group ID specified in the configuration of the Lambda function is not valid. | `LambdaUserError` |
| `LambdaInvalidSubnetIDException` | The subnet ID specified in the configuration of the Lambda function is not valid. | `LambdaUserError` |
| `LambdaInvalidZipFileException` | Lambda could not unzip the specified function zip file. | `LambdaUserError` |
| `LambdaKMSAccessDeniedException` | Lambda could not decrypt environment variables because access to the KMS key was denied. Check the KMS permissions of the Lambda function. | `LambdaUserError` |
| `LambdaKMSDisabledException` | Lambda could not decrypt environment variables because the specified KMS key is disabled. Check the KMS key settings of the Lambda function. | `LambdaUserError` |
| `LambdaKMSInvalidStateException` | Lambda could not decrypt environment variables because the state of the KMS key is not valid. Check the KMS key settings of the Lambda function. | `LambdaUserError` |
| `LambdaKMSNotFoundException` | Lambda could not decrypt environment variables because the KMS key was not found. Check the KMS key settings of the Lambda function. | `LambdaUserError` |
| `LambdaRequestTooLarge` | The size of the request body exceeded 1 MB. | `LambdaUserError` |
| `LambdaResourceNotFound` | The Lambda function could not be found. | `LambdaUserError` |
| `LambdaResponseTooLarge` | The size of the response exceeded 1 MB. | `LambdaUserError` |
| `LambdaServiceException` | Lambda encountered an internal error. | `LambdaInternalError` |
| `LambdaSubnetIPAddressLimitReachedException` | Lambda could not set up VPC access for the Lambda function because one or more subnets have no available IP addresses. | `LambdaUserError` |
| `LambdaThrottling` | The Lambda function was throttled because there were too many requests. | `LambdaUserError` |
| `LambdaUnhandled` | The Lambda function encountered an unhandled exception. | `LambdaUserError` |
| `LambdaUnhandledException` | The load balancer encountered an unhandled exception. | `LambdaInternalError` |
| `LambdaWebsocketNotSupported` | WebSockets are not supported with Lambda. | `LambdaUserError` |
If the load balancer encounters an error when forwarding requests to AWS WAF, it stores one of the following error codes in the error\$1reason field of the access log.
| Code | Description |
| --- | --- |
| `WAFConnectionError` | The load balancer cannot connect to AWS WAF. |
| `WAFConnectionTimeout` | The connection to AWS WAF timed out. |
| `WAFResponseReadTimeout` | A request to AWS WAF timed out. |
| `WAFServiceError` | AWS WAF returned a 5XX error. |
| `WAFUnhandledException` | The load balancer encountered an unhandled exception. |
### Transform status codes
| Code | Description |
| --- | --- |
| `TransformBufferTooSmall` | The rewrite transform failed because the result exceeded the size of an internal buffer. Try to make the regular expression less complex. |
| `TransformCompileError` | The compilation of the regular expression failed. |
| `TransformCompileTooBig` | The compiled regular expression was too large. Try to make the regular expression less complex. |
| `TransformInvalidHost` | The host header rewrite transform failed because the resulting host is not valid. |
| `TransformInvalidPath` | The URL rewrite transform failed because the resulting path is not valid. |
| `TransformRegexSyntaxError` | The regular expression contained a syntax error. |
| `TransformReplaceError` | The transform replacement failed. |
| `TransformSuccess` | The rewrite transform completed successfully. |
## Example log entries
The following are example log entries. Note that the example text appears on multiple lines only to make them easier to read.
**Example HTTP Entry**
The following is an example log entry for an HTTP listener (port 80 to port 80):
```
http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366
"GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - -
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337262-36d228ad5d99923122bbe354" "-" "-"
0 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.0.1:80" "200" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
**Example HTTPS Entry**
The following is an example log entry for an HTTPS listener (port 443 to port 80):
```
https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57
"GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012"
1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-"
TID_1234abcd5678ef90 "m.example.com" "-" "TransformSuccess"
```
**Example HTTP/2 Entry**
The following is an example log entry for an HTTP/2 stream.
```
h2 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
10.0.1.252:48160 10.0.0.66:9000 0.000 0.002 0.000 200 200 5 257
"GET https://10.0.2.105:773/ HTTP/2.0" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337327-72bd00b0343d75b906739c42" "-" "-"
1 2018-07-02T22:22:48.364000Z "redirect" "https://example.com:80/" "-" "10.0.0.66:9000" "200" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
**Example WebSockets Entry**
The following is an example log entry for a WebSockets connection.
```
ws 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
10.0.0.140:40914 10.0.1.192:8010 0.001 0.003 0.000 101 101 218 587
"GET http://10.0.0.30:80/ HTTP/1.1" "-" - -
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-"
1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.1.192:8010" "101" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
**Example Secured WebSockets Entry**
The following is an example log entry for a secured WebSockets connection.
```
wss 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
10.0.0.140:44244 10.0.0.171:8010 0.000 0.001 0.000 101 101 218 786
"GET https://10.0.0.30:443/ HTTP/1.1" "-" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2
arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-"
1 2018-07-02T22:22:48.364000Z "forward" "-" "-" "10.0.0.171:8010" "101" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
**Example Entries for Lambda Functions**
The following is an example log entry for a request to a Lambda function that succeeded:
```
http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
192.168.131.39:2817 - 0.000 0.001 0.000 200 200 34 366
"GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - -
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-"
0 2018-11-30T22:22:48.364000Z "forward" "-" "-" "-" "-" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
The following is an example log entry for a request to a Lambda function that failed:
```
http 2018-11-30T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188
192.168.131.39:2817 - 0.000 0.001 0.000 502 - 34 366
"GET http://www.example.com:80/ HTTP/1.1" "curl/7.46.0" - -
arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067
"Root=1-58337364-23a8c76965a2ef7629b185e3" "-" "-"
0 2018-11-30T22:22:48.364000Z "forward" "-" "LambdaInvalidResponse" "-" "-" "-" "-"
TID_1234abcd5678ef90 "-" "-" "-"
```
## Configure log delivery notifications
To receive notifications when Elastic Load Balancing delivers logs to your S3 bucket, use Amazon S3 Event Notifications. Elastic Load Balancing uses [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html), [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html), and [POST Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html) to deliver logs to Amazon S3. To ensure that you receive all log delivery notifications, include all of these object creation events in your configuration.
For more information, see [Amazon S3 Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventNotifications.html) in the *Amazon Simple Storage Service User Guide*.
## Processing access log files
The access log files are compressed. If you download the files, you must uncompress them to view the information.
If there is a lot of demand on your website, your load balancer can generate log files with gigabytes of data. You might not be able to process such a large amount of data using line-by-line processing. Therefore, you might have to use analytical tools that provide parallel processing solutions. For example, you can use the following analytical tools to analyze and process access logs:
+ Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. For more information, see [Querying Application Load Balancer logs](https://docs.aws.amazon.com/athena/latest/ug/application-load-balancer-logs.html) in the *Amazon Athena User Guide*.
+ [Loggly](https://documentation.solarwinds.com/en/success_center/loggly/content/admin/s3-ingestion-auto.htm)
+ [Splunk](https://splunk.github.io/splunk-add-on-for-amazon-web-services/)
+ [Sumo logic](https://www.sumologic.com/application/elb/)
# Enable access logs for your Application Load Balancer
When you enable access logs for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.
**Topics**
+ [
## Step 1: Create an S3 bucket
](#access-log-create-bucket)
+ [
## Step 2: Attach a policy to your S3 bucket
](#attach-bucket-policy)
+ [
## Step 3: Configure access logs
](#enable-access-logs)
+ [
## Step 4: Verify bucket permissions
](#verify-bucket-permissions)
+ [
## Troubleshooting
](#bucket-permissions-troubleshooting)
## Step 1: Create an S3 bucket
When you enable access logs, you must specify an S3 bucket for the access logs. You can use an existing bucket, or create a bucket specifically for access logs. The bucket must meet the following requirements.
**Requirements**
+ The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.
+ The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information, see [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
**To create an S3 bucket using the Amazon S3 console**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Choose **Create bucket**.
1. On the **Create bucket** page, do the following:
1. For **Bucket name**, enter a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see [Bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) in the *Amazon S3 User Guide*.
1. For **AWS Region**, select the Region where you created your load balancer.
1. For **Default encryption**, choose **Amazon S3-managed keys (SSE-S3)**.
1. Choose **Create bucket**.
## Step 2: Attach a policy to your S3 bucket
Your S3 bucket must have a bucket policy that grants Elastic Load Balancing permission to write the access logs to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.
If you're using an existing bucket that already has an attached policy, you can add the statement for Elastic Load Balancing access logs to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for access logs.
### Bucket policy
This policy grants permissions to the log delivery service.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
}
]
}
```
For `Resource`, enter the ARN of the location for the access logs, using the format shown in the example policy. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Legacy bucket policy
Previously, for Regions available before August 2022, we required a policy that granted permissions to an Elastic Load Balancing account that was specific to the Region. This legacy policy is still supported, but we recommend that you replace it with the newer policy above. If you prefer to keep using the legacy policy, which is not shown here, you can.
For reference, here are the IDs of the Elastic Load Balancing accounts to specify in `Principal` in the legacy policy. Note that Regions that are not in this list do not support the legacy policy.
+ US East (N. Virginia) – 127311923021
+ US East (Ohio) – 033677994240
+ US West (N. California) – 027434742980
+ US West (Oregon) – 797873946194
+ Africa (Cape Town) – 098369216593
+ Asia Pacific (Hong Kong) – 754344448648
+ Asia Pacific (Jakarta) – 589379963580
+ Asia Pacific (Mumbai) – 718504428378
+ Asia Pacific (Osaka) – 383597477331
+ Asia Pacific (Seoul) – 600734575887
+ Asia Pacific (Singapore) – 114774131450
+ Asia Pacific (Sydney) – 783225319266
+ Asia Pacific (Tokyo) – 582318560864
+ Canada (Central) – 985666609251
+ Europe (Frankfurt) – 054676820928
+ Europe (Ireland) – 156460612806
+ Europe (London) – 652711504416
+ Europe (Milan) – 635631232127
+ Europe (Paris) – 009996457667
+ Europe (Stockholm) – 897822967062
+ Middle East (Bahrain) – 076674570225
+ South America (São Paulo) – 507241528517
+ AWS GovCloud (US-East) – 190560391635
+ AWS GovCloud (US-West) – 048591011584
### Outposts Zones
The following policy grants permissions to the specified log delivery service. Use this policy for load balancers in Outposts Zones.
```
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elb.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
```
For `Resource`, enter the ARN of the location for the access logs, using the format shown in the example policy. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The S3 bucket ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Security best practices
+ Use the full resource path, including the account ID portion of the S3 bucket ARN. Don't use wildcards (\$1) in the account ID portion of the S3 bucket ARN.
```
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
```
+ Use `aws:SourceArn` to ensure that only load balancers from the specified Region and account can use your bucket.
```
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:elasticloadbalancing:region:123456789012:loadbalancer/*"
}
}
```
+ Use `aws:SourceOrgId` with `aws:SourceArn` to ensure that only load balancers from the specified organization can use your bucket.
```
"Condition": {
"StringEquals": {
"aws:SourceOrgId": "o-1234567890"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
}
}
```
+ If you have a `Deny` statement to prevent access to service principals except those explicitly allowed, be sure to add `logdelivery.elasticloadbalancing.amazonaws.com` to the list of allowed service principals. For example, if you used the `aws:PrincipalServiceNamesList` condition, add `logdelivery.elasticloadbalancing.amazonaws.com` as follows:
```
{
"Effect": "Deny",
"Principal": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:PrincipalServiceNamesList": [
"logdelivery.elasticloadbalancing.amazonaws.com",
"service.amazonaws.com"
]
}
}
}
```
If you used the `NotPrincipal` element, add `logdelivery.elasticloadbalancing.amazonaws.com` as follows. Note that we recommend that you use the `aws:PrincipalServiceName` or `aws:PrincipalServiceNamesList` condition key to explicitly allow service principals instead of using the `NotPrincipal` element. For more information, see [NotPrincipal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notprincipal.html).
```
{
"Effect": "Deny",
"NotPrincipal": {
"Service": [
"logdelivery.elasticloadbalancing.amazonaws.com",
"service.amazonaws.com"
]
}
},
```
After you create your bucket policy, use an Amazon S3 interface, such as the Amazon S3 console or AWS CLI commands, to attach your bucket policy to your S3 bucket.
------
#### [ Console ]
**To attach your bucket policy to your S3 bucket**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket to open its details page.
1. Choose **Permissions** and then choose **Bucket policy**, **Edit**.
1. Update the bucket policy to grant the required permissions.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To attach your bucket policy to your S3 bucket**
Use the [put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html) command. In this example, the bucket policy was saved to the specified .json file.
```
aws s3api put-bucket-policy \
--bucket amzn-s3-demo-bucket \
--policy file://access-log-policy.json
```
------
## Step 3: Configure access logs
Use the following procedure to configure access logs to capture request information and deliver log files to your S3 bucket.
**Requirements**
The bucket must meet the requirements described in [step 1](#access-log-create-bucket), and you must attach a bucket policy as described in [step 2](#attach-bucket-policy). If you include a prefix, it must not include the string "AWSLogs".
**To manage the S3 bucket for your access logs**
Be sure to disable access logs before you delete the bucket that you configured for access logs. Otherwise, if there is a new bucket with the same name and the required bucket policy but created in an AWS account that you don't own, Elastic Load Balancing could write the access logs for your load balancer to this new bucket.
------
#### [ Console ]
**To enable access logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn on **Access logs**.
1. For **S3 URI**, enter the S3 URI for your log files. The URI that you specify depends on whether you're using a prefix.
+ URI with a prefix: s3://*amzn-s3-demo-logging-bucket*/*logging-prefix*
+ URI without a prefix: s3://*amzn-s3-demo-logging-bucket*
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To enable access logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the related attributes.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes \
Key=access_logs.s3.enabled,Value=true \
Key=access_logs.s3.bucket,Value=amzn-s3-demo-logging-bucket \
Key=access_logs.s3.prefix,Value=logging-prefix
```
------
#### [ CloudFormation ]
**To enable access logs**
Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the related attributes.
```
Resources:
myLoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: "true"
- Key: "access_logs.s3.bucket"
Value: "amzn-s3-demo-logging-bucket"
- Key: "access_logs.s3.prefix"
Value: "logging-prefix"
```
------
## Step 4: Verify bucket permissions
After access logs are enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file to ensure that the bucket policy specifies the required permissions. You can use the Amazon S3 console to verify that the test file was created. The test file is not an actual access log file; it doesn't contain example records.
**To verify a test file was created in your bucket using the Amazon S3 console**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket that you specified for access logs.
1. Navigate to the test file, `ELBAccessLogTestFile`. The location depends on whether you're using a prefix.
+ Location with a prefix: *amzn-s3-demo-logging-bucket*/*logging-prefix*/AWSLogs/*123456789012*/ELBAccessLogTestFile
+ Location without a prefix: *amzn-s3-demo-logging-bucket*/AWSLogs/*123456789012*/ELBAccessLogTestFile
## Troubleshooting
If you receive an access denied error, the following are possible causes:
+ The bucket policy does not grant Elastic Load Balancing permission to write access logs to the bucket. Verify that you are using the correct bucket policy for the Region. Verify that the resource ARN uses the same bucket name that you specified when you enabled access logs. Verify that the resource ARN does not include a prefix if you did not specify a prefix when you enabled access logs.
+ The bucket uses an unsupported server-side encryption option. The bucket must use Amazon S3-managed keys (SSE-S3).
# Disable access logs for your Application Load Balancer
You can disable access logs for your load balancer at any time. After you disable access logs, your access logs remain in your S3 bucket until you delete them. For more information, see [Creating, configuring, and working with S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html) in the *Amazon S3 User Guide*.
------
#### [ Console ]
**To disable access logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn off **Access logs**.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To disable access logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes Key=access_logs.s3.enabled,Value=false
```
------
# Connection logs for your Application Load Balancer
Elastic Load Balancing provides connection logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the client's IP address and port, listener port, the TLS cipher and protocol used, TLS handshake latency, connection status, and client certificate details. You can use these connection logs to analyze request patterns and troubleshoot issues.
Connection logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable connection logs for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify, as compressed files. You can disable connection logs at any time.
You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3. For more information about storage costs, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
**Topics**
+ [
## Connection log files
](#connection-log-file-format)
+ [
## Connection log entries
](#connection-log-entry-format)
+ [
## Example log entries
](#connection-log-entry-examples)
+ [
## Processing connection log files
](#connection-log-processing-tools)
+ [Enable connection logs](enable-connection-logging.md)
+ [Disable connection logs](disable-connection-logging.md)
## Connection log files
Elastic Load Balancing publishes a log file for each load balancer node every 5 minutes. Log delivery is eventually consistent. The load balancer can deliver multiple logs for the same period. This usually happens if the site has high traffic.
The file names of the connection logs use the following format:
```
bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/conn_log_aws-account-id_elasticloadbalancing_region_app.load-balancer-id_end-time_ip-address_random-string.log.gz
```
*bucket*
The name of the S3 bucket.
*prefix*
(Optional) The prefix (logical hierarchy) for the bucket. The prefix that you specify must not include the string `AWSLogs`. For more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html).
`AWSLogs`
We add the portion of the file name starting with `AWSLogs` after the bucket name and optional prefix that you specify.
*aws-account-id*
The AWS account ID of the owner.
*region*
The Region for your load balancer and S3 bucket.
*yyyy*/*mm*/*dd*
The date that the log was delivered.
*load-balancer-id*
The resource ID of the load balancer. If the resource ID contains any forward slashes (/), they are replaced with periods (.).
*end-time*
The date and time that the logging interval ended. For example, an end time of 20140215T2340Z contains entries for requests made between 23:35 and 23:40 in UTC or Zulu time.
*ip-address*
The IP address of the load balancer node that handled the request. For an internal load balancer, this is a private IP address.
*random-string*
A system-generated random string.
The following is an example log file name with a prefix:
```
s3://amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/conn_log_123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
The following is an example log file name without a prefix:
```
s3://amzn-s3-demo-logging-bucket/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/conn_log_123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. For more information, see [Object lifecycle management](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*.
## Connection log entries
Each connection attempt has an entry in a connection log file. How client requests are sent is determined by the connection being persistent, or nonpersistent. Nonpersistent connections have a single request, which creates a single entry in the access log and connection log. Persistent connections have multiple requests, which creates multiple entries in the access log and a single entry in the connection log.
**Topics**
+ [
### Syntax
](#connection-log-entry-syntax)
+ [
### Error reason codes
](#connection-error-reason-codes)
### Syntax
The following table describes the fields of a connection log entry, in order. All fields are delimited by spaces. When we add a new field, we add it to the end of the log entry. As we prepare to release a new field, you might see an additional trailing "-" before the field is released. Ensure that you configure log parsing to stop after the last documented field, and update log parsing after we release a new field.
| Field (position) | Description |
| --- | --- |
| timestamp (1) | The time, in ISO 8601 format, when the load balancer successfully established or failed to establish a connection. |
| client\$1ip (2) | The IP address of the requesting client. |
| client\$1port (3) | The port of the requesting client. |
| listener\$1port (4) | The port of the load balancer listener receiving the client request. |
| tls\$1protocol (5) | [HTTPS listener] The SSL/TLS protocol used during handshakes. This field is set to `-` for non SSL/TLS requests. |
| tls\$1cipher (6) | [HTTPS listener] The SSL/TLS protocol used during handshakes. This field is set to `-` for non SSL/TLS requests. |
| tls\$1handshake\$1latency (7) | [HTTPS listener] The total time in seconds, with a millisecond precision, elapsed while establishing a successful handshake. This field is set to `-` when: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html) |
| leaf\$1client\$1cert\$1subject (8) | [HTTPS listener] The subject name of the leaf client certificate. This field is set to `-` when: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html) |
| leaf\$1client\$1cert\$1validity (9) | [HTTPS listener] The validity, with `not-before` and `not-after` in ISO 8601 format, of the leaf client certificate. This field is set to `-` when: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html) |
| leaf\$1client\$1cert\$1serial\$1number (10) | [HTTPS listener] The serial number of the leaf client certificate. This field is set to `-` when: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-connection-logs.html) |
| tls\$1verify\$1status (11) | [HTTPS listener] The status of the connection request. This value is `Success` if the connection is established successfully. On an unsuccessful connection the value is `Failed:$error_code`. |
| conn\$1trace\$1id (12) | The connection traceability ID is a **unique opaque ID** used to identify each connection. After a connection is established with a client, subsequent requests from this client contain this ID in their respective access log entries. This ID acts as a foreign key to create a link between the connection and access logs. |
| tls\$1keyexchange (13) | [HTTPS listener] The key exchange used during handshakes for TLS or PQ-TLS . This field is set to `-` for non SSL/TLS requests. |
### Error reason codes
If the load balancer is unable to establish a connection, the load balancer stores one of the following reason codes in the connection log.
| Code | Description |
| --- | --- |
| `ClientCertMaxChainDepthExceeded` | The maximum client certificate chain depth has been exceeded |
| `ClientCertMaxSizeExceeded` | The maximum client certificate size has been exceeded |
| `ClientCertCrlHit` | Client certificate has been revoked by the CA |
| `ClientCertCrlProcessingError` | CRL processing error |
| `ClientCertUntrusted` | Client certificate is untrusted |
| `ClientCertNotYetValid` | Client certificate is not yet valid |
| `ClientCertExpired` | Client certificate is expired |
| `ClientCertTypeUnsupported` | Client certificate type is unsupported |
| `ClientCertInvalid` | Client certificate is invalid |
| `ClientCertPurposeInvalid` | Client certificate purpose is invalid |
| `ClientCertRejected` | Client certificate is rejected by custom server validation |
| `UnmappedConnectionError` | Unmapped runtime connection error |
## Example log entries
The following are example connection log entries. Note that the example text appears on multiple lines only to make them easier to read.
The following is an example log entry for a successful connection with a HTTPS listener with mutual TLS verify mode enabled on port 443.
```
2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 4.036
"CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z
FEF257372D5C14D4 Success TID_3180a73013c8ca4bac2f731159d4b0fe
```
The following is an example log entry for a failed connection with a HTTPS listener with mutual TLS verify mode enabled on port 443.
```
2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 -
"CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z
FEF257372D5C14D4 Failed:ClientCertUntrusted TID_1c71a68d70587445ad5127ff8b2687d7
```
## Processing connection log files
The connection log files are compressed. If you open the files using the Amazon S3 console, they are uncompressed and the information is displayed. If you download the files, you must uncompress them to view the information.
If there is a lot of demand on your website, your load balancer can generate log files with gigabytes of data. You might not be able to process such a large amount of data using line-by-line processing. Therefore, you might have to use analytical tools that provide parallel processing solutions. For example, you can use the following analytical tools to analyze and process connection logs:
+ Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
+ [Loggly](https://documentation.solarwinds.com/en/success_center/loggly/content/admin/s3-ingestion-auto.htm)
+ [Splunk](https://splunk.github.io/splunk-add-on-for-amazon-web-services/)
+ [Sumo logic](https://www.sumologic.com/application/elb/)
# Enable connection logs for your Application Load Balancer
When you enable connection logs for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.
**Topics**
+ [
## Step 1: Create an S3 bucket
](#connection-log-create-bucket)
+ [
## Step 2: Attach a policy to your S3 bucket
](#attach-bucket-policy-connection)
+ [
## Step 3: Configure connection logs
](#enable-connection-logs)
+ [
## Step 4: Verify bucket permissions
](#verify-bucket-permissions-connection)
+ [
## Troubleshooting
](#bucket-permissions-troubleshooting-connection)
## Step 1: Create an S3 bucket
When you enable connection logs, you must specify an S3 bucket for the connection logs. You can use an existing bucket, or create a bucket specifically for connection logs. The bucket must meet the following requirements.
**Requirements**
+ The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.
+ The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information, see [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
**To create an S3 bucket using the Amazon S3 console**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Choose **Create bucket**.
1. On the **Create bucket** page, do the following:
1. For **Bucket name**, enter a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see [Bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) in the *Amazon S3 User Guide*.
1. For **AWS Region**, select the Region where you created your load balancer.
1. For **Default encryption**, choose **Amazon S3-managed keys (SSE-S3)**.
1. Choose **Create bucket**.
## Step 2: Attach a policy to your S3 bucket
Your S3 bucket must have a bucket policy that grants Elastic Load Balancing permission to write the connection logs to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.
If you're using an existing bucket that already has an attached policy, you can add the statement for Elastic Load Balancing connection logs to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for connection logs.
### Bucket policy
This policy grants permissions to the specified log delivery service.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
}
]
}
```
For `Resource`, enter the ARN of the location for the access logs, using the format shown in the example policy. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](enable-access-logging.md#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Legacy bucket policy
Previously, for Regions available before August 2022, we required a policy that granted permissions to an Elastic Load Balancing account that was specific to the Region. This legacy policy is still supported, but we recommend that you replace it with the newer policy above. If you prefer to keep using the legacy policy, which is not shown here, you can.
For reference, here are the IDs of the Elastic Load Balancing accounts to specify in `Principal` in the legacy policy. Note that Regions that are not in this list do not support the legacy policy.
+ US East (N. Virginia) – 127311923021
+ US East (Ohio) – 033677994240
+ US West (N. California) – 027434742980
+ US West (Oregon) – 797873946194
+ Africa (Cape Town) – 098369216593
+ Asia Pacific (Hong Kong) – 754344448648
+ Asia Pacific (Jakarta) – 589379963580
+ Asia Pacific (Mumbai) – 718504428378
+ Asia Pacific (Osaka) – 383597477331
+ Asia Pacific (Seoul) – 600734575887
+ Asia Pacific (Singapore) – 114774131450
+ Asia Pacific (Sydney) – 783225319266
+ Asia Pacific (Tokyo) – 582318560864
+ Canada (Central) – 985666609251
+ Europe (Frankfurt) – 054676820928
+ Europe (Ireland) – 156460612806
+ Europe (London) – 652711504416
+ Europe (Milan) – 635631232127
+ Europe (Paris) – 009996457667
+ Europe (Stockholm) – 897822967062
+ Middle East (Bahrain) – 076674570225
+ South America (São Paulo) – 507241528517
+ AWS GovCloud (US-East) – 190560391635
+ AWS GovCloud (US-West) – 048591011584
### Outposts Zones
The following policy grants permissions to the specified log delivery service. Use this policy for load balancers in Outposts Zones.
```
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elb.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
```
For `Resource`, enter the ARN of the location for the access logs. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](enable-access-logging.md#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Security best practices
To enhance security, use precise S3 bucket ARNs.
+ Use the full resource path, not just the S3 bucket ARN.
+ Include the account ID portion of the S3 bucket ARN.
+ Don't use wildcards (\$1) in the account ID portion of the S3 bucket ARN.
After you create your bucket policy, use an Amazon S3 interface, such as the Amazon S3 console or AWS CLI commands, to attach your bucket policy to your S3 bucket.
------
#### [ Console ]
**To attach your bucket policy to your S3 bucket**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket to open its details page.
1. Choose **Permissions** and then choose **Bucket policy**, **Edit**.
1. Update the bucket policy to grant the required permissions.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To attach your bucket policy to your S3 bucket**
Use the [put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html) command. In this example, the bucket policy was saved to the specified .json file.
```
aws s3api put-bucket-policy \
--bucket amzn-s3-demo-bucket \
--policy file://access-log-policy.json
```
------
## Step 3: Configure connection logs
Use the following procedure to configure connection logs to capture and deliver log files to your S3 bucket.
**Requirements**
The bucket must meet the requirements described in [step 1](#connection-log-create-bucket), and you must attach a bucket policy as described in [step 2](#attach-bucket-policy-connection). If you specify a prefix, it must not include the string "AWSLogs".
**To manage the S3 bucket for your connection logs**
Be sure to disable connection logs before you delete the bucket that you configured for connection logs. Otherwise, if there is a new bucket with the same name and the required bucket policy but created in an AWS account that you don't own, Elastic Load Balancing could write the connection logs for your load balancer to this new bucket.
------
#### [ Console ]
**To enable connection logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn on **Connection logs**.
1. For **S3 URI**, enter the S3 URI for your log files. The URI that you specify depends on whether you're using a prefix.
+ URI with a prefix: `s3://bucket-name/prefix`
+ URI without a prefix: `s3://bucket-name`
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To enable connection logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the related attributes.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes \
Key=connection_logs.s3.enabled,Value=true \
Key=connection_logs.s3.bucket,Value=amzn-s3-demo-logging-bucket \
Key=connection_logs.s3.prefix,Value=logging-prefix
```
------
#### [ CloudFormation ]
**To enable connection logs**
Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the related attributes.
```
Resources:
myLoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
LoadBalancerAttributes:
- Key: "connection_logs.s3.enabled"
Value: "true"
- Key: "connection_logs.s3.bucket"
Value: "amzn-s3-demo-logging-bucket"
- Key: "connection_logs.s3.prefix"
Value: "logging-prefix"
```
------
## Step 4: Verify bucket permissions
After connection logs are enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file to ensure that the bucket policy specifies the required permissions. You can use the Amazon S3 console to verify that the test file was created. The test file is not an actual connection log file; it doesn't contain example records.
**To verify that Elastic Load Balancing created a test file in your S3 bucket**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket that you specified for connection logs.
1. Navigate to the test file, `ELBConnectionLogTestFile`. The location depends on whether you're using a prefix.
+ Location with a prefix: *amzn-s3-demo-logging-bucket*/*prefix*/AWSLogs/*123456789012*/ELBConnectionLogTestFile
+ Location without a prefix: *amzn-s3-demo-logging-bucket*/AWSLogs/*123456789012*/ELBConnectionLogTestFile
## Troubleshooting
If you receive an access denied error, the following are possible causes:
+ The bucket policy does not grant Elastic Load Balancing permission to write connection logs to the bucket. Verify that you are using the correct bucket policy for the Region. Verify that the resource ARN uses the same bucket name that you specified when you enabled connection logs. Verify that the resource ARN does not include a prefix if you did not specify a prefix when you enabled connection logs.
+ The bucket uses an unsupported server-side encryption option. The bucket must use Amazon S3-managed keys (SSE-S3).
# Disable connection logs for your Application Load Balancer
You can disable connection logs for your load balancer at any time. After you disable connection logs, your connection logs remain in your S3 bucket until you delete them. For more information, see [Creating, configuring, and working with buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html) in the *Amazon S3 User Guide*.
------
#### [ Console ]
**To disable connection logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn off **Connection logs**.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To disable connection logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes Key=connection_logs.s3.enabled,Value=false
```
------
# Health check logs
Elastic Load Balancing provides health check logs that capture detailed information about the health check status of your registered targets, including failure reasons when health checks fail. Health check logs are supported for EC2 instances, IP address, and Lambda function targets. Each log entry contains information such as the health check request type or connection, timestamp, target address, target group ID, health status and reason code. You can use these health check logs to analyze target health patterns, monitor health transitions, and troubleshoot issues.
Health check logs are an optional feature that is disabled by default. After you enable health check logs for your load balancer, Elastic Load Balancing captures the logs and stores them as compressed files in the Amazon S3 bucket that you specify. You can disable health check logs at any time.
You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3. For more information about storage costs, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).
**Topics**
+ [
## Health check log files
](#health-check-log-file-format)
+ [
## Health check log entries
](#health-check-log-entry-format)
+ [
## Example log entries
](#health-check-log-file-entries)
+ [
## Configure log delivery notifications
](#health-check-log-event-notifications)
+ [
## Processing health check log files
](#health-check-log-processing-tools)
+ [
# Enable health check logs for your Application Load Balancer
](enable-health-check-logging.md)
+ [
# Disable health check logs for your Application Load Balancer
](disable-health-check-logging.md)
## Health check log files
Elastic Load Balancing publishes a log file for each load balancer node every 5 minutes. The load balancer can deliver multiple logs for the same period when a large number of targets are attached to the load balancer or a small health check interval is configured (for example, every 5 seconds).
The file names of the health check logs use the following format:
```
bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/health_check_log_aws-account-id_elasticloadbalancing_region_app.load-balancer-id_end-time_ip-address_random-string.log.gz
```
*bucket*
The name of the S3 bucket.
*prefix*
(Optional) The prefix (logical hierarchy) for the bucket. The prefix that you specify must not include the string `AWSLogs`. For more information, see [Organizing objects using prefixes](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-prefixes.html).
`AWSLogs`
We add the portion of the file name starting with `AWSLogs` after the bucket name and optional prefix that you specify.
*aws-account-id*
The AWS account ID of the owner.
*region*
The Region for your load balancer and S3 bucket.
*yyyy*/*mm*/*dd*
The date that the log was delivered.
*load-balancer-id*
The resource ID of the load balancer. If the resource ID contains any forward slashes (/), they are replaced with periods (.).
*end-time*
The date and time that the logging interval ended. For example, an end time of 20140215T2340Z contains entries for requests made between 23:35 and 23:40 in UTC or Zulu time.
*ip-address*
The IP address of the load balancer node that handled the request. For an internal load balancer, this is a private IP address.
*random-string*
A system-generated random string.
The following is an example log file name with a prefix:
```
s3://amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/health_check_log_123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
The following is an example log file name without a prefix:
```
s3://amzn-s3-demo-logging-bucket/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2022/05/01/health_check_log_123456789012_elasticloadbalancing_us-east-2_app.my-loadbalancer.1234567890abcdef_20220215T2340Z_172.160.001.192_20sg8hgm.log.gz
```
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. For more information, see [Object lifecycle management](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*.
## Health check log entries
Elastic Load Balancing logs target health check results including the failure reasons for all registered targets of that load balancer. Each log entry contains the details of a single health check result made to the registered target.
**Topics**
+ [
### Syntax
](#health-check-log-entry-syntax)
+ [
### Error reason codes
](#health-check-error-reason-codes)
### Syntax
The following table describes the fields of a health check log entry, in order. All fields are delimited by spaces. When we add a new field, we add it to the end of the log entry. As we prepare to release a new field, you might see an additional trailing "-" before the field is released. Ensure that you configure log parsing to stop after the last documented field, and update log parsing after we release a new field.
| Field (position) | Description |
| --- | --- |
| type (1) | The type of health check request or connection. The possible values are as follows (ignore any other values): [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-health-check-logs.html) |
| time (2) | Timestamp of when health check is initiated on a target, in ISO 8601 format. |
| latency (3) | Total time elapsed (in seconds) to complete the current health check. |
| target\$1addr (4) | IP address and port of the target in the format, IP:Port. Lambda’s ARN if the target is a Lambda function. |
| target\$1group\$1id (5) | Name of the target group the target is associated with. |
| status (6) | The status of the health check. This value is `PASS` if the health check succeeds. On an unsuccessful health check the value is `FAIL` |
| status\$1code (7) | The response code received from the target for the health check request. |
| reason\$1code (8) | The reason for failure if the health check fails. See [Error reason codes](#health-check-error-reason-codes) |
### Error reason codes
If the target health check fails, the load balancer will log one of the following reason codes in the health check log.
| Code | Description |
| --- | --- |
| `RequestTimedOut` | Health check request timed out while waiting for response |
| `ConnectionTimedOut` | Health check failed because TCP connection attempt timed out |
| `ConnectionReset` | Health check failed due to connection reset |
| `ResponseCodeMismatch` | HTTP status code of the target’s response to the health check request did not match the configured status code |
| `ResponseStringMismatch` | Response body returned by the target did not contain the string configured in the target group health check configuration |
| `InternalError` | Internal load balancer error |
| `TargetError` | Target returns 5xx error code in response to the health check request |
| `GRPCStatusHeaderEmpty` | GRPC target response has a grpc-status header without value |
| `GRPCUnexpectedStatus` | GRPC target responds with an unexpected grpc-status |
## Example log entries
The following are examples of health check log entries. Note that the example text appears on multiple lines only to make them easier to read.
The following is an example log entry for a successful health check.
```
http 2025-10-31T12:44:59.875678Z 0.019584011 172.31.20.97:80 HCLogsTestIPs PASS 200 -
```
The following is an example log entry for a failed health check.
```
http 2025-10-31T12:44:58.901409Z 1.121980746 172.31.31.9:80 HCLogsTestIPs FAIL 502 TargetError
```
## Configure log delivery notifications
To receive notifications when Elastic Load Balancing delivers logs to your S3 bucket, use Amazon S3 Event Notifications. Elastic Load Balancing uses [PutObject](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html), [CreateMultipartUpload](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html), and [POST Object](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html) to deliver logs to Amazon S3. To ensure that you receive all log delivery notifications, include all of these object creation events in your configuration.
For more information, see [Amazon S3 Event Notifications](https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventNotifications.html) in the *Amazon Simple Storage Service User Guide*.
## Processing health check log files
The health check log files are compressed. If you download the files, you must uncompress them to view the information.
If there is a lot of demand on your website, your load balancer can generate log files with gigabytes of data. You might not be able to process such a large amount of data using line-by-line processing. Therefore, you might have to use analytical tools that provide parallel processing solutions. For example, you can use the following analytical tools to analyze and process health-check logs:
+ Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
+ [Loggly](https://documentation.solarwinds.com/en/success_center/loggly/content/admin/s3-ingestion-auto.htm)
+ [Splunk](https://splunk.github.io/splunk-add-on-for-amazon-web-services/)
+ [Sumo logic](https://www.sumologic.com/application/elb/)
# Enable health check logs for your Application Load Balancer
When you enable health check logs for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.
**Topics**
+ [
## Step 1: Create an S3 bucket
](#health-check-log-create-bucket)
+ [
## Step 2: Attach a policy to your S3 bucket
](#attach-bucket-policy-health-check)
+ [
## Step 3: Configure health check logs
](#enable-health-check-logs)
+ [
## Step 4: Verify bucket permissions
](#verify-bucket-permissions-health-check)
+ [
## Troubleshooting
](#bucket-permissions-troubleshooting-health-check)
## Step 1: Create an S3 bucket
When you enable health-check logs, you must specify an S3 bucket for the health-check logs. You can use an existing bucket, or create a bucket specifically for health-check logs. The bucket must meet the following requirements.
**Requirements**
+ The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.
+ The only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information, see [Amazon S3-managed encryption keys (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
**To create an S3 bucket using the Amazon S3 console**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Choose **Create bucket**.
1. On the **Create bucket** page, do the following:
1. For **Bucket name**, enter a name for your bucket. This name must be unique across all existing bucket names in Amazon S3. In some Regions, there might be additional restrictions on bucket names. For more information, see [Bucket restrictions and limitations](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html) in the *Amazon S3 User Guide*.
1. For **AWS Region**, select the Region where you created your load balancer.
1. For **Default encryption**, choose **Amazon S3-managed keys (SSE-S3)**.
1. Choose **Create bucket**.
## Step 2: Attach a policy to your S3 bucket
Your S3 bucket must have a bucket policy that grants Elastic Load Balancing permission to write the health check logs to the bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket. Each statement includes information about a single permission and contains a series of elements.
If you're using an existing bucket that already has an attached policy, you can add the statement for Elastic Load Balancing health check logs to the policy. If you do so, we recommend that you evaluate the resulting set of permissions to ensure that they are appropriate for the users that need access to the bucket for health check logs.
### Bucket policy
This policy grants permissions to the specified log delivery service.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elasticloadbalancing.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
}
]
}
```
For `Resource`, enter the ARN of the location for the access logs, using the format shown in the example policy. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](enable-access-logging.md#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
**AWS GovCloud (US)** – The following example uses the ARN syntax for the AWS GovCloud (US) Regions.
```
arn:aws-us-gov:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Legacy bucket policy
Previously, for Regions available before August 2022, we required a policy that granted permissions to an Elastic Load Balancing account that was specific to the Region. This legacy policy is still supported, but we recommend that you replace it with the newer policy above. If you prefer to keep using the legacy policy, which is not shown here, you can.
For reference, here are the IDs of the Elastic Load Balancing accounts to specify in `Principal` in the legacy policy. Note that Regions that are not in this list do not support the legacy policy.
+ US East (N. Virginia) – 127311923021
+ US East (Ohio) – 033677994240
+ US West (N. California) – 027434742980
+ US West (Oregon) – 797873946194
+ Africa (Cape Town) – 098369216593
+ Asia Pacific (Hong Kong) – 754344448648
+ Asia Pacific (Jakarta) – 589379963580
+ Asia Pacific (Mumbai) – 718504428378
+ Asia Pacific (Osaka) – 383597477331
+ Asia Pacific (Seoul) – 600734575887
+ Asia Pacific (Singapore) – 114774131450
+ Asia Pacific (Sydney) – 783225319266
+ Asia Pacific (Tokyo) – 582318560864
+ Canada (Central) – 985666609251
+ Europe (Frankfurt) – 054676820928
+ Europe (Ireland) – 156460612806
+ Europe (London) – 652711504416
+ Europe (Milan) – 635631232127
+ Europe (Paris) – 009996457667
+ Europe (Stockholm) – 897822967062
+ Middle East (Bahrain) – 076674570225
+ South America (São Paulo) – 507241528517
+ AWS GovCloud (US-East) – 190560391635
+ AWS GovCloud (US-West) – 048591011584
### Outposts Zones
The following policy grants permissions to the specified log delivery service. Use this policy for load balancers in Outposts Zones.
```
{
"Effect": "Allow",
"Principal": {
"Service": "logdelivery.elb.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/prefix/AWSLogs/123456789012/*"
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
```
For `Resource`, enter the ARN of the location for the access logs. Always include the account ID of the account with the load balancer in the resource path of the S3 bucket ARN. This ensures that only load balancers from the specified account can write access logs to the S3 bucket.
The ARN that you specify depends on whether you plan to include a prefix when you enable access logs in [step 3](enable-access-logging.md#enable-access-logs).
**Example S3 bucket ARN with a prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket and the prefix is logging-prefix.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/logging-prefix/AWSLogs/123456789012/*
```
**Example S3 bucket ARN with no prefix**
The S3 bucket name is amzn-s3-demo-logging-bucket. There is no prefix portion in the S3 bucket ARN.
```
arn:aws:s3:::amzn-s3-demo-logging-bucket/AWSLogs/123456789012/*
```
### Security best practices
To enhance security, use precise S3 bucket ARNs.
+ Use the full resource path, not just the S3 bucket ARN.
+ Include the account ID portion of the S3 bucket ARN.
+ Don't use wildcards (\$1) in the account ID portion of the S3 bucket ARN.
After you create your bucket policy, use an Amazon S3 interface, such as the Amazon S3 console or AWS CLI commands, to attach your bucket policy to your S3 bucket.
------
#### [ Console ]
**To attach your bucket policy to your S3 bucket**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket to open its details page.
1. Choose **Permissions** and then choose **Bucket policy**, **Edit**.
1. Update the bucket policy to grant the required permissions.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To attach your bucket policy to your S3 bucket**
Use the [put-bucket-policy](https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html) command. In this example, the bucket policy was saved to the specified .json file.
```
aws s3api put-bucket-policy \
--bucket amzn-s3-demo-bucket \
--policy file://access-log-policy.json
```
------
## Step 3: Configure health check logs
Use the following procedure to configure health check logs to capture and deliver log files to your S3 bucket.
**Requirements**
The bucket must meet the requirements described in [step 1](#health-check-log-create-bucket), and you must attach a bucket policy as described in [step 2](#attach-bucket-policy-health-check). If you specify a prefix, it must not include the string "AWSLogs".
**To manage the S3 bucket for your health check logs**
Be sure to disable health check logs before you delete the bucket that you configured for health check logs. Otherwise, if there is a new bucket with the same name and the required bucket policy but created in an AWS account that you don't own, Elastic Load Balancing could write the health check logs for your load balancer to this new bucket.
------
#### [ Console ]
**To enable health check logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn on **Health Check logs**.
1. For **S3 URI**, enter the S3 URI for your log files. The URI that you specify depends on whether you're using a prefix.
+ URI with a prefix: `s3://bucket-name/prefix`
+ URI without a prefix: `s3://bucket-name`
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To enable health check logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the related attributes.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes \
Key=health_check_logs.s3.enabled,Value=true \
Key=health_check_logs.s3.bucket,Value=amzn-s3-demo-logging-bucket \
Key=health_check_logs.s3.prefix,Value=logging-prefix
```
------
#### [ CloudFormation ]
**To enable health check logs**
Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the related attributes.
```
Resources:
myLoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Name: my-alb
Type: application
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
LoadBalancerAttributes:
- Key: "health_check_logs.s3.enabled"
Value: "true"
- Key: "health_check_logs.s3.bucket"
Value: "amzn-s3-demo-logging-bucket"
- Key: "health_check_logs.s3.prefix"
Value: "logging-prefix"
```
------
## Step 4: Verify bucket permissions
After health check logs are enabled for your load balancer, Elastic Load Balancing validates the S3 bucket and creates a test file to ensure that the bucket policy specifies the required permissions. You can use the Amazon S3 console to verify that the test file was created. The test file is not an actual health check log file; it doesn't contain example records.
**To verify that Elastic Load Balancing created a test file in your S3 bucket**
1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Select the name of the bucket that you specified for health check logs.
1. Navigate to the test file, `ELBHealthCheckLogTestFile`. The location depends on whether you're using a prefix.
+ Location with a prefix: *amzn-s3-demo-logging-bucket*/*prefix*/AWSLogs/*123456789012*/ELBHealthCheckLogTestFile
+ Location without a prefix: *amzn-s3-demo-logging-bucket*/AWSLogs/*123456789012*/ELBHealthCheckLogTestFile
## Troubleshooting
If you receive an access denied error, the following are possible causes:
+ The bucket policy does not grant Elastic Load Balancing permission to write health check logs to the bucket. Verify that you are using the correct bucket policy for the Region. Verify that the resource ARN uses the same bucket name that you specified when you enabled health check logs. Verify that the resource ARN does not include a prefix if you did not specify a prefix when you enabled health check logs.
+ The bucket uses an unsupported server-side encryption option. The bucket must use Amazon S3-managed keys (SSE-S3).
# Disable health check logs for your Application Load Balancer
You can disable health check logs for your load balancer at any time. After you disable health check logs, your health check logs remain in your S3 bucket until you delete them. For more information, see [Creating, configuring, and working with buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html) in the *Amazon S3 User Guide*.
------
#### [ Console ]
**To disable health check logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn off **Health check logs**.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To disable health check logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes Key=health_check_logs.s3.enabled,Value=false
```
------
# Request tracing for your Application Load Balancer
When the load balancer receives a request from a client, it adds or updates the **X-Amzn-Trace-Id** header before sending the request to the target. Any services or applications between the load balancer and the target can also add or update this header.
You can use request tracing to track HTTP requests from clients to targets or other services. If you enable access logs, the contents of the **X-Amzn-Trace-Id** header are logged. For more information, see [Access logs for your Application Load Balancer](load-balancer-access-logs.md).
## Syntax
The **X-Amzn-Trace-Id** header contains fields with the following format:
```
Field=version-time-id
```
*Field*
The name of the field. The supported values are `Root` and `Self`.
An application can add arbitrary fields for its own purposes. The load balancer preserves these fields but does not use them.
*version*
The version number. This value is 1.
*time*
The epoch time, in seconds. This value is 8 hexadecimal digits long.
*id*
The trace identifier. This value is 24 hexadecimal digits.
**Examples**
If the **X-Amzn-Trace-Id** header is not present on an incoming request, the load balancer generates a header with a `Root` field and forwards the request. For example:
```
X-Amzn-Trace-Id: Root=1-67891233-abcdef012345678912345678
```
If the **X-Amzn-Trace-Id** header is present and has a `Root` field, the load balancer inserts a `Self` field and forwards the request. For example:
```
X-Amzn-Trace-Id: Self=1-67891233-12456789abcdef012345678;Root=1-67891233-abcdef012345678912345678
```
If an application adds a header with a `Root` field and a custom field, the load balancer preserves both fields, inserts a `Self` field, and forwards the request:
```
X-Amzn-Trace-Id: Self=1-67891233-12456789abcdef012345678;Root=1-67891233-abcdef012345678912345678;CalledFrom=app
```
If the **X-Amzn-Trace-Id** header is present and has a `Self` field, the load balancer updates the value of the `Self` field.
## Limitations
+ The load balancer updates the header when it receives an incoming request, not when it receives a response.
+ If the HTTP headers are greater than 7 KB, the load balancer rewrites the **X-Amzn-Trace-Id** header with a `Root` field.
+ With WebSockets, you can trace only until the upgrade request is successful.