# Monitor your Network Load Balancers
You can use the following features to monitor your load balancers, analyze traffic patterns, and troubleshoot issues with your load balancers and targets.
**CloudWatch metrics**
You can use Amazon CloudWatch to retrieve statistics about data points for your load balancers and targets as an ordered set of time-series data, known as *metrics*. You can use these metrics to verify that your system is performing as expected. For more information, see [CloudWatch metrics for your Network Load Balancer](load-balancer-cloudwatch-metrics.md).
**VPC Flow Logs**
You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Network Load Balancer. For more information, see [VPC flow logs](https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) in the *Amazon VPC User Guide*.
Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet. To identify the network interfaces for a Network Load Balancer, look for the name of the load balancer in the description field of the network interface.
There are two entries for each connection through your Network Load Balancer, one for the frontend connection between the client and the load balancer and the other for the backend connection between the load balancer and the target. If the target group's client IP preservation attribute is enabled, the connection appears to the instance as a connection from the client. Otherwise, the connection's source IP is the load balancer's private IP address. If the security group of the instance doesn't allow connections from the client but the network ACLs for the load balancer subnet allow them, the logs for the network interface for the load balancer show "ACCEPT OK" for the frontend and backend connections, while the logs for the network interface for the instance show "REJECT OK" for the connection.
If a Network Load Balancer has associated security groups, your flow logs contain entries for traffic that is allowed or rejected by the security groups. For Network Load Balancers with TLS listeners, your flow logs entries reflect only the rejected entries.
**Amazon CloudWatch Internet Monitor**
You can use Internet Monitor for visibility into how internet issues impact the performance and availability between your applications hosted on AWS and your end users. You can also explore, in near real-time, how to improve the projected latency of your application by switching to use other services, or by rerouting traffic to your workload through different AWS Regions. For more information, see [Using Amazon CloudWatch Internet Monitor](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-InternetMonitor.html).
**Access logs**
You can use access logs to capture detailed information about TLS requests made to your load balancer. The log files are stored in Amazon S3. You can use these access logs to analyze traffic patterns and to troubleshoot issues with your targets. For more information, see [Access logs for your Network Load Balancer](load-balancer-access-logs.md).
**CloudTrail logs**
You can use AWS CloudTrail to capture detailed information about the calls made to the Elastic Load Balancing API and store them as log files in Amazon S3. You can use these CloudTrail logs to determine which calls were made, the source IP address where the call came from, who made the call, when the call was made, and so on. For more information, see [Log API calls for Elastic Load Balancing using CloudTrail](https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/cloudtrail-logs.html).
# CloudWatch metrics for your Network Load Balancer
Elastic Load Balancing publishes data points to Amazon CloudWatch for your load balancers and your targets. CloudWatch enables you to retrieve statistics about those data points as an ordered set of time-series data, known as *metrics*. Think of a metric as a variable to monitor, and the data points as the values of that variable over time. For example, you can monitor the total number of healthy targets for a load balancer over a specified time period. Each data point has an associated time stamp and an optional unit of measurement.
You can use metrics to verify that your system is performing as expected. For example, you can create a CloudWatch alarm to monitor a specified metric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range.
Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported. For Network Load Balancers with security groups, traffic rejected by the security groups is not captured in the CloudWatch metrics.
For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
**Topics**
+ [
## Network Load Balancer metrics
](#load-balancer-metrics-nlb)
+ [
## Metric dimensions for Network Load Balancers
](#load-balancer-metric-dimensions-nlb)
+ [
## Statistics for Network Load Balancer metrics
](#metric-statistics)
+ [
## View CloudWatch metrics for your load balancer
](#view-metric-data)
## Network Load Balancer metrics
The `AWS/NetworkELB` namespace includes the following metrics.
| Metric | Description |
| --- | --- |
| ActiveFlowCount | The total number of concurrent flows (or connections) from clients to targets. This metric includes connections in the SYN\$1SENT and ESTABLISHED states. TCP connections are not terminated at the load balancer, so a client opening a TCP connection to a target counts as a single flow. **Reporting criteria**: Always reported. **Statistics**: The most useful statistics are `Average`, `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ActiveFlowCount\$1TCP | The total number of concurrent TCP flows (or connections) from clients to targets. This metric includes connections in the SYN\$1SENT and ESTABLISHED state. TCP connections are not terminated at the load balancer, so a client opening a TCP connection to a target counts as a single flow. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistics are `Average`, `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ActiveFlowCount\$1TLS | The total number of concurrent TLS flows (or connections) from clients to targets. This metric includes connections in the SYN\$1SENT and ESTABLISHED state. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistics are `Average`, `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ActiveFlowCount\$1UDP | The total number of concurrent UDP flows (or connections) from clients to targets. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistics are `Average`, `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ActiveZonalShiftHostCount | The number of targets that are actively participating in zonal shift currently. **Reporting criteria**: Reported when the load balancer is opt-in for zonal shift. **Statistics**: The most useful statistics are `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ClientTLSNegotiationErrorCount | The total number of TLS handshakes that failed during negotiation between a client and a TLS listener. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ConsumedLCUs | The number of load balancer capacity units (LCU) used by your load balancer. You pay for the number of LCUs that you use per hour. For more information, see [Elastic Load Balancing Pricing](https://aws.amazon.com/elasticloadbalancing/pricing/). **Reporting criteria**: Always reported. **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ConsumedLCUs\$1TCP | The number of load balancer capacity units (LCU) used by your load balancer for TCP. You pay for the number of LCUs that you use per hour. For more information, see [Elastic Load Balancing Pricing](https://aws.amazon.com/elasticloadbalancing/pricing/). **Reporting criteria**: There is a nonzero value. **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ConsumedLCUs\$1TLS | The number of load balancer capacity units (LCU) used by your load balancer for TLS. You pay for the number of LCUs that you use per hour. For more information, see [Elastic Load Balancing Pricing](https://aws.amazon.com/elasticloadbalancing/pricing/). **Reporting criteria**: There is a nonzero value. **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ConsumedLCUs\$1UDP | The number of load balancer capacity units (LCU) used by your load balancer for UDP. You pay for the number of LCUs that you use per hour. For more information, see [Elastic Load Balancing Pricing](https://aws.amazon.com/elasticloadbalancing/pricing/). **Reporting criteria**: There is a nonzero value. **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| HealthyHostCount | The number of targets that are considered healthy. This metric does not include any Application Load Balancers registered as targets. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistics are `Maximum` and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| NewFlowCount | The total number of new flows (or connections) established from clients to targets in the time period. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| NewFlowCount\$1TCP | The total number of new TCP flows (or connections) established from clients to targets in the time period. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| NewFlowCount\$1TLS | The total number of new TLS flows (or connections) established from clients to targets in the time period. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| NewFlowCount\$1UDP | The total number of new UDP flows (or connections) established from clients to targets in the time period. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| NewFlowCount\$1QUIC | The total number of UDP datagrams that required a routing decision in the time period. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| PeakBytesPerSecond | The highest average bytes processed per second, calculated every 10 seconds during the sampling window. This metric does not include health check traffic. **Reporting criteria**: Always reported **Statistics**: The most useful statistic is `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| PeakPacketsPerSecond | Highest average packet rate (packets processed per second), calculated every 10 seconds during the sampling window. This metric includes health check traffic. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Maximum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| PortAllocationErrorCount | The total number of ephemeral port allocation errors during a client IP translation operation. A non-zero value indicates dropped client connections. Note: Network Load Balancers support 55,000 simultaneous connections or about 55,000 connections per minute to each unique target (IP address and port) when performing client address translation. To fix port allocation errors, add more targets to the target group. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes | The total number of bytes processed by the load balancer, including TCP/IP headers. This count includes traffic to and from targets, minus health check traffic. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes\$1TCP | The total number of bytes processed by TCP listeners. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes\$1TLS | The total number of bytes processed by TLS listeners. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes\$1UDP | The total number of bytes processed by UDP listeners. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedBytes\$1QUIC | The total number of bytes processed by QUIC listeners. **Reporting criteria**: There is a nonzero value **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ProcessedPackets | The total number of packets processed by the load balancer. This count includes traffic to and from targets, including health check traffic. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| RejectedFlowCount | The total number of flows (or connections) rejected by the load balancer. **Reporting criteria**: Always reported. **Statistics**: The most useful statistics are `Average`, `Maximum`, and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| RejectedFlowCount\$1TCP | The number of TCP flows (or connections) rejected by the load balancer. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| ReservedLCUs | The number of load balancer capacity units (LCUs) reserved for your load balancer using LCU Reservation. **Reporting criteria**: There is a nonzero value **Statistics**: All [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Inbound\$1ICMP | The number of new ICMP messages rejected by the inbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Inbound\$1TCP | The number of new TCP flows rejected by the inbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Inbound\$1UDP | The number of new UDP flows rejected by the inbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Outbound\$1ICMP | The number of new ICMP messages rejected by the outbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Outbound\$1TCP | The number of new TCP flows rejected by the outbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| SecurityGroupBlockedFlowCount\$1Outbound\$1UDP | The number of new UDP flows rejected by the outbound rules of the load balancer security groups. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| TargetTLSNegotiationErrorCount | The total number of TLS handshakes that failed during negotiation between a TLS listener and a target. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| TCP\$1Client\$1Reset\$1Count | The total number of reset (RST) packets sent from a client to a target. These resets are generated by the client and forwarded by the load balancer. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| TCP\$1ELB\$1Reset\$1Count | The total number of reset (RST) packets generated by the load balancer. For more information, see [Troubleshooting](load-balancer-troubleshooting.md#elb-reset-count-metric). **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| TCP\$1Target\$1Reset\$1Count | The total number of reset (RST) packets sent from a target to a client. These resets are generated by the target and forwarded by the load balancer. **Reporting criteria**: Always reported. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| UnHealthyHostCount | The number of targets that are considered unhealthy. This metric does not include any Application Load Balancers registered as targets. **Reporting criteria**: Reported if there are registered targets. **Statistics**: The most useful statistics are `Maximum` and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| UnhealthyRoutingFlowCount | The number of flows (or connections) that are routed using the routing failover action (fail open). This metric is not supported for TLS listeners. **Reporting criteria**: There is a nonzero value. **Statistics**: The most useful statistic is `Sum`. |
| ZonalHealthStatus | The number of Availability Zones that the load balancer considers healthy. The load balancer emits a 1 for each healthy Availability Zone and a 0 for each unhealthy Availability Zone. **Reporting criteria**: Reported if health checks are enabled. **Statistics**: The most useful statistics are `Maximum` and `Minimum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
| QUIC\$1Unknown\$1Server\$1ID\$1Packet\$1Drop\$1Count | The number of UDP datagrams dropped which contain a server ID not associated with a target in the Network Load Balancer. **Reporting criteria**: Reported only for QUIC listeners. **Statistics**: The most useful statistic is `Sum`. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-cloudwatch-metrics.html) |
## Metric dimensions for Network Load Balancers
To filter the metrics for your load balancer, use the following dimensions.
| Dimension | Description |
| --- | --- |
| AvailabilityZone | Filters the metric data by Availability Zone. |
| LoadBalancer | Filters the metric data by load balancer. Specify the load balancer as follows: net/*load-balancer-name*/*1234567890123456* (the final portion of the load balancer ARN). |
| TargetGroup | Filters the metric data by target group. Specify the target group as follows: targetgroup/*target-group-name*/*1234567890123456* (the final portion of the target group ARN). |
## Statistics for Network Load Balancer metrics
CloudWatch provides statistics based on the metric data points published by Elastic Load Balancing. Statistics are metric data aggregations over specified period of time. When you request statistics, the returned data stream is identified by the metric name and dimension. A dimension is a name/value pair that uniquely identifies a metric. For example, you can request statistics for all the healthy EC2 instances behind a load balancer launched in a specific Availability Zone.
The `Minimum` and `Maximum` statistics reflect the minimum and maximum values of the data points reported by the individual load balancer nodes in each sampling window. Increases in the maximum of `HealthyHostCount` correspond to decreases in the minimum of `UnHealthyHostCount`. It's recommended to monitor maximum `HealthyHostCount`, invoking the alarm when the maximum `HealthyHostCount` falls below your required minimum, or being `0`. This can help in identifying when your targets have become unhealthy. It's also recommended to monitor minimum `UnHealthyHostCount`, invoking the alarm when the minimum `UnHealthyHostCount` rises above `0`. This allows you to become aware when there are no longer any registered targets.
The `Sum` statistic is the aggregate value across all load balancer nodes. Because metrics include multiple reports per period, `Sum` is only applicable to metrics that are aggregated across all load balancer nodes.
The `SampleCount` statistic is the number of samples measured. Because metrics are gathered based on sampling intervals and events, this statistic is typically not useful. For example, with `HealthyHostCount`, `SampleCount` is based on the number of samples that each load balancer node reports, not the number of healthy hosts.
## View CloudWatch metrics for your load balancer
You can view the CloudWatch metrics for your load balancers using the Amazon EC2 console. These metrics are displayed as monitoring graphs. The monitoring graphs show data points if the load balancer is active and receiving requests.
Alternatively, you can view metrics for your load balancer using the CloudWatch console.
**To view metrics using the console**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. To view metrics filtered by target group, do the following:
1. In the navigation pane, choose **Target Groups**.
1. Select your target group and choose **Monitoring**.
1. (Optional) To filter the results by time, select a time range from **Showing data for**.
1. To get a larger view of a single metric, select its graph.
1. To view metrics filtered by load balancer, do the following:
1. In the navigation pane, choose **Load Balancers**.
1. Select your load balancer and choose **Monitoring**.
1. (Optional) To filter the results by time, select a time range from **Showing data for**.
1. To get a larger view of a single metric, select its graph.
**To view metrics using the CloudWatch console**
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. Select the **NetworkELB** namespace.
1. (Optional) To view a metric across all dimensions, type its name in the search field.
**To view metrics using the AWS CLI**
Use the following [list-metrics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/list-metrics.html) command to list the available metrics:
```
aws cloudwatch list-metrics --namespace AWS/NetworkELB
```
**To get the statistics for a metric using the AWS CLI**
Use the following [get-metric-statistics](https://docs.aws.amazon.com/cli/latest/reference/cloudwatch/get-metric-statistics.html) command get statistics for the specified metric and dimension. Note that CloudWatch treats each unique combination of dimensions as a separate metric. You can't retrieve statistics using combinations of dimensions that were not specially published. You must specify the same dimensions that were used when the metrics were created.
```
aws cloudwatch get-metric-statistics --namespace AWS/NetworkELB \
--metric-name UnHealthyHostCount --statistics Average --period 3600 \
--dimensions Name=LoadBalancer,Value=net/my-load-balancer/50dc6c495c0c9188 \
Name=TargetGroup,Value=targetgroup/my-targets/73e2d6bc24d8a067 \
--start-time 2017-04-18T00:00:00Z --end-time 2017-04-21T00:00:00Z
```
The following is example output:
```
{
"Datapoints": [
{
"Timestamp": "2017-04-18T22:00:00Z",
"Average": 0.0,
"Unit": "Count"
},
{
"Timestamp": "2017-04-18T04:00:00Z",
"Average": 0.0,
"Unit": "Count"
},
...
],
"Label": "UnHealthyHostCount"
}
```
# Access logs for your Network Load Balancer
Elastic Load Balancing provides access logs that capture detailed information about the TLS connections established with your Network Load Balancer. You can use these access logs to analyze traffic patterns and troubleshoot issues.
**Important**
While traditional "legacy" access logs (described in this section) remain available, Network Load Balancer now offers enhanced logging options through CloudWatch Logs. CloudWatch Logs provide more flexible delivery options, including to Amazon CloudWatch Logs, Amazon Data Firehose, and Amazon Simple Storage Service. To configure these improved logging options, visit your load balancer's * **Integrations*** tab. For more information on CloudWatch Logs, see [CloudWatch logs for your Network Load Balancer](load-balancer-cloudwatch-logs.md).
**Important**
Access logs are created only if the load balancer has a TLS listener, and the logs contain information about TLS requests only. Access logs record requests on a best-effort basis. We recommend that you use access logs to understand the nature of the requests, not as a complete accounting of all requests.
Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs as compressed files and stores them in the Amazon S3 bucket that you specify. You can disable access logging at any time.
You can enable server-side encryption with Amazon S3-managed encryption keys (SSE-S3), or using Key Management Service with Customer Managed Keys (SSE-KMS CMK) for your S3 bucket. Each access log file is automatically encrypted before it is stored in your S3 bucket and decrypted when you access it. You do not need to take any action as there is no difference in the way you access encrypted or unencrypted log files. Each log file is encrypted with a unique key, which is itself encrypted with a KMS key that is regularly rotated. For more information, see [Specifying Amazon S3 encryption (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-s3-encryption.html) and [Specifying server-side encryption with AWS KMS (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html) in the *Amazon S3 User Guide*.
There is no additional charge for access logs. You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3. For more information about storage costs, see [Amazon S3 Pricing](https://aws.amazon.com/s3/pricing/).
**Topics**
+ [
## Access log files
](#access-log-file-format)
+ [
## Access log entries
](#access-log-entry-format)
+ [
## Processing access log files
](#log-processing-tools)
+ [Enable access logs](enable-access-logs.md)
+ [Disable access logs](disable-access-logs.md)
## Access log files
Elastic Load Balancing publishes a log file for each load balancer node every 5 minutes. Log delivery is eventually consistent. The load balancer can deliver multiple logs for the same period. This usually happens if the site has high traffic.
The file names of the access logs use the following format:
```
bucket[/prefix]/AWSLogs/aws-account-id/elasticloadbalancing/region/yyyy/mm/dd/aws-account-id_elasticloadbalancing_region_net.load-balancer-id_end-time_random-string.log.gz
```
*bucket*
The name of the S3 bucket.
*prefix*
The prefix (logical hierarchy) in the bucket. If you don't specify a prefix, the logs are placed at the root level of the bucket.
*aws-account-id*
The AWS account ID of the owner.
*region*
The Region for your load balancer and S3 bucket.
*yyyy*/*mm*/*dd*
The date that the log was delivered.
*load-balancer-id*
The resource ID of the load balancer. If the resource ID contains any forward slashes (/), they are replaced with periods (.).
*end-time*
The date and time that the logging interval ended. For example, an end time of 20181220T2340Z contains entries for requests made between 23:35 and 23:40.
*random-string*
A system-generated random string.
The following is an example log file name:
```
s3://my-bucket/prefix/AWSLogs/123456789012/elasticloadbalancing/us-east-2/2020/05/01/123456789012_elasticloadbalancing_us-east-2_net.my-loadbalancer.1234567890abcdef_20200501T0000Z_20sg8hgm.log.gz
```
You can store your log files in your bucket for as long as you want, but you can also define Amazon S3 lifecycle rules to archive or delete log files automatically. For more information, see [Manage your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the *Amazon S3 User Guide*.
## Access log entries
The following table describes the fields of an access log entry, in order. All fields are delimited by spaces. When new fields are introduced, they are added to the end of the log entry. When processing the log files, you should ignore any fields at the end of the log entry that you were not expecting.
| Field | Description |
| --- | --- |
| type | The type of listener. The supported value is `tls`. |
| version | The version of the log entry. The current version is 2.0. |
| time | The time recorded at the end of the TLS connection, in ISO 8601 format. |
| elb | The resource ID of the load balancer. |
| listener | The resource ID of the TLS listener for the connection. |
| client\$1port | The IP address and port of the client. |
| destination\$1port | The IP address and port of the destination. If the client connects directly to the load balancer, the destination is the listener. If the client connects using a VPC endpoint service, the destination is the VPC endpoint. |
| connection\$1time | The total time for the connection to complete, from start to closure, in milliseconds. |
| tls\$1handshake\$1time | The total time for the TLS handshake to complete after the TCP connection is established, including client-side delays, in milliseconds. This time is included in the `connection_time` field. If there is no TLS handshake or a TLS handshake failure, this value is set to `-`. |
| received\$1bytes | The count of bytes received by the load balancer from the client, after decryption. |
| sent\$1bytes | The count of bytes sent by the load balancer to the client, before encryption. |
| incoming\$1tls\$1alert | The integer value of TLS alerts received by the load balancer from the client, if present. Otherwise, this value is set to `-`. |
| chosen\$1cert\$1arn | The ARN of the certificate served to the client. If no valid client hello message is sent, this value is set to `-`. |
| chosen\$1cert\$1serial | Reserved for future use. This value is always set to `-`. |
| tls\$1cipher | The cipher suite negotiated with the client, in OpenSSL format. If TLS negotiation does not complete, this value is set to `-`. |
| tls\$1protocol\$1version | The TLS protocol negotiated with the client, in string format. The possible values are `tlsv10`, `tlsv11`, `tlsv12`, and `tlsv13`. If TLS negotiation does not complete, this value is set to `-`. |
| tls\$1keyexchange | The key exchange used during handshakes for TLS or PQ-TLS . If TLS or PQ-TLS negotiation does not complete, this value is set to `-`. |
| domain\$1name | The value of the server\$1name extension in the client hello message. This value is URL-encoded. If no valid client hello message is sent or the extension is not present, this value is set to `-`. |
| alpn\$1fe\$1protocol | The application protocol negotiated with the client, in string format. The possible values are `h2`, `http/1.1`, and `http/1.0`. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to `-`. |
| alpn\$1be\$1protocol | The application protocol negotiated with the target, in string format. The possible values are `h2`, `http/1.1`, and `http/1.0`. If no ALPN policy is configured in the TLS listener, no matching protocol is found, or no valid protocol list is sent, this value is set to `-`. |
| alpn\$1client\$1preference\$1list | The value of the application\$1layer\$1protocol\$1negotiation extension in the client hello message. This value is URL-encoded. Each protocol is enclosed in double quotes and protocols are separated by a comma. If no ALPN policy is configured in the TLS listener, no valid client hello message is sent, or the extension is not present, this value is set to `-`. The string is truncated if it is longer than 256 bytes. |
| tls\$1connection\$1creation\$1time | The time recorded at the beginning of the TLS connection, in ISO 8601 format. |
### Example log entries
The following are example log entries. Note that the text appears on multiple lines only to make it easier to read.
The following is an example for a TLS listener without an ALPN policy.
```
tls 2.0 2018-12-20T02:59:40 net/my-network-loadbalancer/c6e77e28c25b2234 g3d4b5e8bb8464cd
72.21.218.154:51341 172.100.100.185:443 5 2 98 246 -
arn:aws:acm:us-east-2:671290407336:certificate/2a108f19-aded-46b0-8493-c63eb1ef4a99 -
ECDHE-RSA-AES128-SHA tlsv12 -
my-network-loadbalancer-c6e77e28c25b2234.elb.us-east-2.amazonaws.com
- - - 2018-12-20T02:59:30
```
The following is an example for a TLS listener with an ALPN policy.
```
tls 2.0 2020-04-01T08:51:42 net/my-network-loadbalancer/c6e77e28c25b2234 g3d4b5e8bb8464cd
72.21.218.154:51341 172.100.100.185:443 5 2 98 246 -
arn:aws:acm:us-east-2:671290407336:certificate/2a108f19-aded-46b0-8493-c63eb1ef4a99 -
ECDHE-RSA-AES128-SHA tlsv12 -
my-network-loadbalancer-c6e77e28c25b2234.elb.us-east-2.amazonaws.com
h2 h2 "h2","http/1.1" 2020-04-01T08:51:20
```
## Processing access log files
The access log files are compressed. If you open the files using the Amazon S3 console, they are uncompressed and the information is displayed. If you download the files, you must uncompress them to view the information.
If there is a lot of demand on your website, your load balancer can generate log files with gigabytes of data. You might not be able to process such a large amount of data using line-by-line processing. Therefore, you might have to use analytical tools that provide parallel processing solutions. For example, you can use the following analytical tools to analyze and process access logs:
+ Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. For more information, see [Querying Network Load Balancer logs](https://docs.aws.amazon.com/athena/latest/ug/networkloadbalancer-classic-logs.html) in the *Amazon Athena User Guide*.
+ [Loggly](https://documentation.solarwinds.com/en/success_center/loggly/content/admin/s3-ingestion-auto.htm)
+ [Splunk](https://splunk.github.io/splunk-add-on-for-amazon-web-services/)
+ [Sumo Logic](https://www.sumologic.com/application/elb/)
# Enable access logs for your Network Load Balancer
When you enable access logging for your load balancer, you must specify the name of the S3 bucket where the load balancer will store the logs. The bucket must have a bucket policy that grants Elastic Load Balancing permission to write to the bucket.
**Important**
Access logs are created only if the load balancer has a TLS listener, and the logs contain information about TLS requests only.
## Bucket requirements
You can use an existing bucket, or create a bucket specifically for access logs. The bucket must meet the following requirements.
**Requirements**
+ The bucket must be located in the same Region as the load balancer. The bucket and the load balancer can be owned by different accounts.
+ The prefix that you specify must not include `AWSLogs`. We add the portion of the file name starting with `AWSLogs` after the bucket name and prefix that you specify.
+ The bucket must have a bucket policy that grants permission to write the access logs to your bucket. Bucket policies are a collection of JSON statements written in the access policy language to define access permissions for your bucket.
**Example bucket policy**
The following is an example policy. For the `Resource` elements, replace *amzn-s3-demo-destination-bucket* with the name of the S3 bucket for your access logs. Be sure to omit the *Prefix/* if you are not using a bucket prefix. For `aws:SourceAccount`, specify the ID of the AWS account with the load balancer. For `aws:SourceArn`, replace *region* and *012345678912* with the Region and account ID of the load balancer, respectively.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "AWSLogDeliveryWrite",
"Statement": [
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"012345678912"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:012345678912:*"
]
}
}
},
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/Prefix/AWSLogs/account-ID/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"012345678912"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:us-east-1:012345678912:*"
]
}
}
}
]
}
```
------
**Encryption**
You can enable server-side encryption for your Amazon S3 access log bucket in one of the following ways:
+ Amazon S3-Managed Keys (SSE-S3)
+ AWS KMS keys stored in AWS Key Management Service (SSE-KMS) †
† With Network Load Balancer access logs, you can't use AWS managed keys, you must use customer managed keys.
For more information, see [Specifying Amazon S3 encryption (SSE-S3)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-s3-encryption.html) and [Specifying server-side encryption with AWS KMS (SSE-KMS)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html) in the *Amazon S3 User Guide*.
The key policy must allow the service to encrypt and decrypt the logs. The following is an example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
```
------
## Configure access logs
Use the following procedure to configure access logs to capture request information and deliver log files to your S3 bucket.
------
#### [ Console ]
**To enable access logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn on **Access logs**.
1. For **S3 URI**, enter the S3 URI for your log files. The URI that you specify depends on whether you're using a prefix.
+ URI with a prefix: s3://*amzn-s3-demo-logging-bucket*/*logging-prefix*
+ URI without a prefix: s3://*amzn-s3-demo-logging-bucket*
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To enable access logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the related attributes.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes \
Key=access_logs.s3.enabled,Value=true \
Key=access_logs.s3.bucket,Value=amzn-s3-demo-logging-bucket \
Key=access_logs.s3.prefix,Value=logging-prefix
```
------
#### [ CloudFormation ]
**To enable access logs**
Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the related attributes.
```
Resources:
myLoadBalancer:
Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
Properties:
Name: my-nlb
Type: network
Scheme: internal
Subnets:
- !Ref subnet-AZ1
- !Ref subnet-AZ2
SecurityGroups:
- !Ref mySecurityGroup
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: "true"
- Key: "access_logs.s3.bucket"
Value: "amzn-s3-demo-logging-bucket"
- Key: "access_logs.s3.prefix"
Value: "logging-prefix"
```
------
# Disable access logs for your Network Load Balancer
You can disable access logging for your load balancer at any time. After you disable access logging, your access logs remain in your S3 bucket until you delete the them. For more information, see [Creating, configuring, and working with S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-buckets-s3.html) in the *Amazon S3 User Guide*.
------
#### [ Console ]
**To disable access logs**
1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. In the navigation pane, choose **Load Balancers**.
1. Select the name of your load balancer to open its details page.
1. On the **Attributes** tab, choose **Edit**.
1. For **Monitoring**, turn off **Access logs**.
1. Choose **Save changes**.
------
#### [ AWS CLI ]
**To disable access logs**
Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command.
```
aws elbv2 modify-load-balancer-attributes \
--load-balancer-arn load-balancer-arn \
--attributes Key=access_logs.s3.enabled,Value=false
```
------