Configure standard logging (v2) - Amazon CloudFront

Configure standard logging (v2)

You can enable standard logging when you create or update a distribution. Standard logging (v2) includes the following features:

  • Send access logs to Amazon CloudWatch Logs, Amazon Data Firehose, and Amazon Simple Storage Service (Amazon S3).

  • Select the log fields that you want. You can also select a subset of real-time log fields.

  • Select additional output log file formats.

If you’re using Amazon S3, you have the following optional features:

  • Send logs to opt-in AWS Regions.

  • Organize your logs with partitioning.

  • Enable Hive-compatible file names.

For more information, see Send logs to Amazon S3.

To get started with standard logging, complete the following steps:

  1. Set up your required permissions for the specified AWS service that will receive your logs.

  2. Configure standard logging from the CloudFront console or the CloudWatch API.

  3. View your access logs.

Note
  • If you enable standard logging (v2), this doesn’t affect or change standard logging (legacy). You can continue to use standard logging (legacy) for your distribution, in addition to using standard logging (v2). For more information, see Configure standard logging (legacy).

  • If you already enabled standard logging (legacy) and you want to enable standard logging (v2) to Amazon S3, we recommend that you specify a different Amazon S3 bucket or use a separate path in the same bucket (for example, use a log prefix or partitioning). This helps you keep track of which log files are associated with which distribution and prevents log files from overwriting each other.

Permissions

CloudFront uses CloudWatch vended logs to deliver access logs. To do so, you need permissions to the specified AWS service so that you can enable logging delivery.

To see the required permissions for each logging destination, choose from the following topics in the Amazon CloudWatch Logs User Guide.

After you have set up permissions to your logging destination, you can enable standard logging for your distribution.

Note

CloudFront supports sending access logs to different AWS accounts (cross accounts). To enable cross-account delivery, both accounts (your account and the receiving account) must have the required permissions. For more information, see Cross-account delivery example in the Amazon CloudWatch Logs User Guide.

Enable standard logging

To enable standard logging, you can use the CloudFront console or the CloudWatch API.

Enable standard logging (CloudFront console)

To enable standard logging for a CloudFront distribution (console)
  1. Use the CloudFront console to create a new distribution or update an existing one.

  2. Under the Standard logging section, for Log delivery, choose On.

  3. (Optional) For Cookie logging, specify if you want to include cookies in your logs.

    Tip

    Cookie logging is a global setting that applies to all standard logging for your distribution. You can’t override this setting for separate delivery destinations.

  4. For the Deliver to section, specify the service to receive your logs:

    • CloudWatch Logs

    • Firehose

    • Amazon S3

  5. For the Destination, select the resource for your service. If you haven’t already created your resource, you can choose Create or see the following documentation.

    • For CloudWatch Logs, enter the Log group name.

    • For Firehose, enter the Firehose delivery stream.

    • For Amazon S3, enter the Bucket name.

      Tip

      To specify a prefix, enter the prefix after the bucket name, such as amzn-s3-demo-bucket.s3.amazonaws.com/MyLogPrefix. If you don't specify a prefix, CloudFront will automatically add one for you. For more information, see Send logs to Amazon S3.

  6. For Additional settings – optional, you can specify the following options:

    1. For Field selection, select the log field names that you want to deliver to your destination. You can select access log fields and a subset of real-time log fields.

    2. (Amazon S3 only) For Partitioning, specify the path to partition your log file data.

    3. (Amazon S3 only) For Hive-compatible file format, you can select the checkbox to use Hive-compatible S3 paths. This helps simplify loading new data into your Hive-compatible tools.

    4. For Output format, specify your preferred format.

      Note

      If you choose Parquet, this option incurs CloudWatch charges for converting your access logs to Apache Parquet. For more information, see the Vended Logs section for CloudWatch pricing.

    5. For Field delimiter, specify how to separate log fields.

  7. Complete the steps to update or create your distribution.

  8. To add another destination, choose Add another destination and repeat steps 4 – 7.

  9. From the Logs page, verify that the standard logs status is Enabled next to the distribution.

    For more information about the standard logging delivery and log fields, see the Standard logging reference.

Enable standard logging (CloudWatch API)

You can also use the CloudWatch API to enable standard logging for your distributions.

Notes
  • When calling the CloudWatch API to enable standard logging, you must specify the US East (N. Virginia) Region (us-east-1), even if you want to enable cross Region delivery to another destination. For example, if you want to send your access logs to an S3 bucket in the Europe (Ireland) Region (eu-west-1), use the CloudWatch API in the us-east-1 Region.

  • There is an additional option to include cookies in standard logging. In the CloudFront API, this is the IncludeCookies parameter. If you configure access logging by using the CloudWatch API and you specify that you want to include cookies, you must use the CloudFront console or CloudFront API to update your distribution to include cookies. Otherwise, CloudFront can’t send cookies to your log destination. For more information, see Cookie logging.

To enable standard logging for a distribution (CloudWatch API)
  1. After you a create a distribution, get the Amazon Resource Name (ARN).

    You can find the ARN from the Distribution page in the CloudFront console or you can use the GetDistribution API operation. A distribution ARN follows the format: arn:aws:cloudfront::123456789012:distribution/d111111abcdef8

  2. Next, use the CloudWatch PutDeliverySource API operation to create a delivery source for the distribution.

    1. Enter a name for the delivery source.

    2. Pass the resourceArn of the distribution.

    3. For logType, specify ACCESS_LOGS as the type of logs that are collected.

    4. Example AWS CLI put-delivery-source command

      The following is an example of configuring a delivery source for a distribution.

      aws logs put-delivery-source --name S3-delivery --resource-arn arn:aws:cloudfront::123456789012:distribution/d111111abcdef8 --log-type ACCESS_LOGS

      Output

      { "deliverySource": { "name": "S3-delivery", "arn": "arn:aws:logs:us-east-1:123456789012:delivery-source:S3-delivery", "resourceArns": [ "arn:aws:cloudfront::123456789012:distribution/d111111abcdef8" ], "service": "cloudfront", "logType": "ACCESS_LOGS" } }
  3. Use the PutDeliveryDestination API operation to configure where to store your logs.

    1. For destinationResourceArn, specify the ARN of the destination. This can be a CloudWatch Logs log group, a Firehose delivery stream, or an Amazon S3 bucket.

    2. For outputFormat, specify the output format for your logs.

    3. Example AWS CLI put-delivery-destination command

      The following is an example of configuring a delivery destination to an Amazon S3 bucket.

      aws logs put-delivery-destination --name S3-destination --delivery-destination-configuration destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket

      Output

      { "name": "S3-destination", "arn": "arn:aws:logs:us-east-1:123456789012:delivery-destination:S3-destination", "deliveryDestinationType": "S3", "deliveryDestinationConfiguration": { "destinationResourceArn": "arn:aws:s3:::amzn-s3-demo-bucket" } }
    Note

    If you're delivering logs cross-account, you must use the PutDeliveryDestinationPolicy API operation to assign an AWS Identity and Access Management (IAM) policy to the destination account. The IAM policy allows delivery from one account to another account.

  4. Use the CreateDelivery API operation to link the delivery source to the destination that you created in the previous steps. This API operation associates the delivery source with the end destination.

    1. For deliverySourceName, specify the source name.

    2. For deliveryDestinationArn, specify the ARN for the delivery destination.

    3. For fieldDelimiter, specify the string to separate each log field.

    4. For recordFields, specify the log fields that you want.

    5. If you’re using S3, specify whether to use enableHiveCompatiblePath and suffixPath.

    Example AWS CLI create-delivery command

    The following is an example of creating a delivery.

    aws logs create-delivery --delivery-source-name cf-delivery --delivery-destination-arn arn:aws:logs:us-east-1:123456789012:delivery-destination:S3-destination

    Output

    { "id": "abcNegnBoTR123", "arn": "arn:aws:logs:us-east-1:123456789012:delivery:abcNegnBoTR123", "deliverySourceName": "cf-delivery", "deliveryDestinationArn": "arn:aws:logs:us-east-1:123456789012:delivery-destination:S3-destination", "deliveryDestinationType": "S3", "recordFields": [ "date", "time", "x-edge-location", "sc-bytes", "c-ip", "cs-method", "cs(Host)", "cs-uri-stem", "sc-status", "cs(Referer)", "cs(User-Agent)", "cs-uri-query", "cs(Cookie)", "x-edge-result-type", "x-edge-request-id", "x-host-header", "cs-protocol", "cs-bytes", "time-taken", "x-forwarded-for", "ssl-protocol", "ssl-cipher", "x-edge-response-result-type", "cs-protocol-version", "fle-status", "fle-encrypted-fields", "c-port", "time-to-first-byte", "x-edge-detailed-result-type", "sc-content-type", "sc-content-len", "sc-range-start", "sc-range-end" ], "fieldDelimiter": "" }
  5. From the CloudFront console, on the Logs page, verify that the standard logs status is Enabled next to the distribution.

    For more information about the standard logging delivery and log fields, see the Standard logging reference.

Output file format

Depending on the delivery destination that you choose, you can specify one of the following formats for log files:

  • JSON

  • Plain

  • w3c

  • Raw

  • Parquet (Amazon S3 only)

Note

You can only set the output format when you first create the delivery destination. This can't be updated later. To change the output format, delete the delivery and create another one.

For more information, see PutDeliveryDestination in the Amazon CloudWatch Logs API Reference.

Edit standard logging settings

You can enable or disable logging and update other log settings by using the CloudFront console or the CloudWatch API. Your changes to logging settings take effect within 12 hours.

For more information, see the following topics:

Access log fields

You can select the same log fields that standard logging (legacy) supports. For more information, see log file fields.

In addition, you can select the following real-time log fields.

  1. timestamp(ms) – Timestamp in milliseconds.

  2. origin-fbl – The number of seconds of first-byte latency between CloudFront and your origin.

  3. origin-lbl – The number of seconds of last-byte latency between CloudFront and your origin.

  4. asn – The autonomous system number (ASN) of the viewer.

Send logs to CloudWatch Logs

To send logs to CloudWatch Logs, create or use an existing CloudWatch Logs log group. For more information about configuring a CloudWatch Logs log group, see Working with Log Groups and Log Streams.

After you create your log group, you must have the required permissions to allow standard logging. For more information about the required permissions, see Logs sent to CloudWatch Logs in the Amazon CloudWatch Logs User Guide.

Notes
  • When you specify the name of the CloudWatch Logs log group, only use the regex pattern [\w-]. For more information, see the PutDeliveryDestination API operation in the Amazon CloudWatch Logs API Reference.

  • Verify that your log group resource policy doesn't exceed the size limit. See the Log group resource policy size limit considerations section in the CloudWatch Logs topic.

Example access log sent to CloudWatch Logs

{ "date": "2024-11-14", "time": "21:34:06", "x-edge-location": "SOF50-P2", "asn": "16509", "timestamp(ms)": "1731620046814", "origin-fbl": "0.251", "origin-lbl": "0.251", "x-host-header": "d111111abcdef8.cloudfront.net", "cs(Cookie)": "examplecookie=value" }

Send logs to Firehose

To send logs to Firehose, create or use an existing Firehose delivery stream.

For information about creating your delivery stream, see Creating an Amazon Data Firehose delivery stream.

After you create your delivery stream, you must have the required permissions to allow standard logging. For more information, see Logs sent to Firehose in the Amazon CloudWatch Logs User Guide.

Note

When you specify the name of the Firehose stream, only use the regex pattern [\w-]. For more information, see the PutDeliveryDestination API operation in the Amazon CloudWatch Logs API Reference.

Example access log sent to Firehose

{"date":"2024-11-15","time":"19:45:51","x-edge-location":"SOF50-P2","asn":"16509","timestamp(ms)":"1731699951183","origin-fbl":"0.254","origin-lbl":"0.254","x-host-header":"d111111abcdef8.cloudfront.net","cs(Cookie)":"examplecookie=value"} {"date":"2024-11-15","time":"19:45:52","x-edge-location":"SOF50-P2","asn":"16509","timestamp(ms)":"1731699952950","origin-fbl":"0.125","origin-lbl":"0.125","x-host-header":"d111111abcdef8.cloudfront.net","cs(Cookie)":"examplecookie=value"}

Send logs to Amazon S3

To send your access logs to Amazon S3, create or use an existing S3 bucket. When you enable logging in CloudFront, specify the bucket name. For information about creating a bucket, see Create a bucket in the Amazon Simple Storage Service User Guide.

After you create your bucket, you must have the required permissions to allow standard logging. For more information, see Logs sent to Amazon S3 in the Amazon CloudWatch Logs User Guide.

  • After you enable logging, AWS automatically adds the required bucket policies for you.

  • You can also use S3 buckets in the opt-in AWS Regions.

Note

If you already enabled standard logging (legacy) and you want to enable standard logging (v2) to Amazon S3, we recommend that you specify a different Amazon S3 bucket or use a separate path in the same bucket (for example, use a log prefix or partitioning). This helps you keep track of which log files are associated with which distribution and prevents log files from overwriting each other.

Specify an S3 bucket

When you specify an S3 bucket as the delivery destination, note the following.

The S3 bucket name can only use the regex pattern [\w-]. For more information, see the PutDeliveryDestination API operation in the Amazon CloudWatch Logs API Reference.

If you specified a prefix for your S3 bucket, your logs appear under that path. If you don't specify a prefix, CloudFront will automatically append the AWSLogs/<account-ID>/CloudFront prefix for you.

Example: Bucket with a prefix

If you specify the following bucket name with a prefix: amzn-s3-demo-bucket.s3.amazonaws.com/MyLogPrefix

Your logs will appear under the following path: amzn-s3-demo-bucket.s3.amazonaws.com/MyLogPrefix/logs

Example: Bucket without a prefix

If you specify the bucket name only: amzn-s3-demo-bucket.s3.amazonaws.com

Your logs will appear under the following path: amzn-s3-demo-bucket.s3.amazonaws.com/AWSLogs/123456789012/CloudFront/logs

Partitioning

You can use partitioning to organize your access logs when CloudFront sends them to your S3 bucket. This helps you organize and locate your access logs based on the path that you want.

You can use the following variables to create a folder path.

  • {DistributionId}

  • {yyyy}

  • {MM}

  • {dd}

  • {HH}

You can use any number of variables and specify folder names in your path. CloudFront then uses this path to create a folder structure for you in the S3 bucket.

Examples
  • my_distribution_log_data/{DistributionId}/logs

  • /cloudfront/{DistributionId}/my_distribution_log_data/{yyyy}/{MM}/{dd}/{HH}/logs

Hive-compatible file name format

You can use this option so that S3 objects that contain delivered access logs use a prefix structure that allows for integration with Apache Hive. For more information, see the CreateDelivery API operation.

Example
/cloudfront/DistributionId={DistributionId}/my_distribution_log_data/year={yyyy}/month={MM}/day={dd}/hour={HH}/logs

For more information about partitioning and the Hive-compatible options, see the S3DeliveryConfiguration element in the Amazon CloudWatch Logs API Reference.

Example access log sent to Amazon S3

#Fields: date time x-edge-location asn timestamp(ms) x-host-header cs(Cookie) 2024-11-14 22:30:25 SOF50-P2 16509 1731623425421 d111111abcdef8.cloudfront.net examplecookie=value2

Delete log files

CloudFront doesn't automatically delete log files from your destination. For information about deleting log files, see the following topics:

Amazon S3
CloudWatch Logs
Firehose

Pricing

CloudFront doesn’t charge for enabling standard logs. However, you can incur charges for the delivery, ingestion, storage or access, depending on the log delivery destination that you select.

For more information, see the following topics to the pricing information for each logging destination type:

  • CloudWatch Logs – The charges are for vended log delivery. See CloudWatch Logs Pricing

    • Under Paid Tier, choose the Logs tab, and then under Vended Logs, see the information for Delivery to CloudWatch Logs.

      Note

      If you choose Parquet, this option incurs CloudWatch charges for converting your access logs to Apache Parquet. For more information, see the Vended Logs section for CloudWatch pricing.

  • Firehose – See Amazon Data Firehose

  • Amazon S3 buckets – The Amazon S3 charges are the combined charges for CloudWatch Logs vended log delivery to the Amazon S3 buckets and for using Amazon S3.

    • For Amazon S3, see Amazon S3 Pricing.

    • For CloudWatch Logs vended log delivery to the Amazon S3, see Amazon CloudWatch Logs Pricing. Under Paid Tier, choose the Logs tab, and then under Vended Logs, see the information for Delivery to S3