Creating logging for servers Updating logging for a server Viewing the server configuration

Creating, updating, and viewing logging for servers

For all AWS Transfer Family servers, you can choose between two options for logging: LoggingRole (used for logging workflows that are attached to the server) or StructuredLogDestinations. Benefits of using StructuredLogDestinations include the following:

Receive logs in a structured JSON format.
Query your logs with Amazon CloudWatch Logs Insights, which automatically discovers JSON formatted fields.
Share log groups across AWS Transfer Family resources allows you to combine log streams from multiple servers into a single log group, making it easier to manage your monitoring configurations and log retention settings.
Create aggregated metrics and visualizations that can be added to CloudWatch dashboards.
Track usage and performance data by using log groups to create consolidated log metrics, visualizations, and dashboards.

The options for LoggingRole or StructuredLogDestinations are configured and controlled separately. For each server, you can set up one or both methods of logging, or configure your server to have no logging whatsoever (though this is not recommended).

If you create a new server by using the Transfer Family console, logging is enabled by default. After you create the server, you can use the UpdateServer API operation to change your logging configuration. For details, see StructuredLogDestinations.

Currently, for workflows, if you want logging enabled, you must specify a logging role:

If you associate a workflow with a server, using either the CreateServer or UpdateServer API operation, the system does not automatically create a logging role. If you want to log your workflow events, you need to explicitly attach a logging role to the server.
If you create a server using the Transfer Family console and you attach a workflow, logs are sent to a log group that contains the server ID in the name. The format is /aws/transfer/server-id, for example, /aws/transfer/s-1111aaaa2222bbbb3. The server logs can be sent to this same log group or a different one.

Logging considerations for creating and editing servers in the console

New servers created through the console only support structured JSON logging, unless a workflow is attached to the server.
No logging is not an option for new servers that you create in the console.
Existing servers can enable structured JSON logging through the console at any time.
Enabling structured JSON logging through the console disables the existing logging method, so as to not double charge customers. The exception is if a workflow is attached to the server.
If you enable structured JSON logging, you cannot later disable it through the console.
If you enable structured JSON logging, you can change the log group destination through the console at any time.
If you enable structured JSON logging, you cannot edit the logging role through the console if you have enabled both logging types through the API. The exception is if your server has a workflow attached. However, the logging role does continue to appear in Additional details.

Logging considerations for creating and editing servers using the API or SDK

If you create a new server through the API, you can configure either or both types of logging, or choose no logging.
For existing servers, enable and disable structured JSON logging at any time.
You can change the log group through the API at any time.
You can change the logging role through the API at any time.

To enable structured logging, you must be logged into an account with the following permissions

logs:CreateLogDelivery
logs:DeleteLogDelivery
logs:DescribeLogGroups
logs:DescribeResourcePolicies
logs:GetLogDelivery
logs:ListLogDeliveries
logs:PutResourcePolicy
logs:UpdateLogDelivery

An example policy is available in the section Configure CloudWatch logging role.

Creating logging for servers

When you create a new server, on the Configure additional details page, you can specify an existing log group, or create a new one.

Logging pane for Configure additional details in the Create server wizard. Choose an existing log group is selected.

If you choose Create log group, the CloudWatch console (https://console.aws.amazon.com/cloudwatch/) opens to the Create log group page. For details, see Create a log group in CloudWatch Logs.

Updating logging for a server

The details for logging depend on the scenario for your update.

Note

When you opt into structured JSON logging, there can be a delay, in rare cases, where Transfer Family stops logging in the old format, but takes some time to start logging in the new JSON format. This can result in events that don't get logged. There won’t be any service disruptions, but you should be careful transferring files during the first hour after changing your logging method, as logs could be dropped.

If you are editing an existing server, your options depend on the state of the server.

The server already has a logging role enabled, but does not have Structured JSON logging enabled.
The server does not have any logging enabled.
The server already has Structured JSON logging enabled, but does not have a logging role specified.
The server already has Structured JSON logging enabled, and also has a logging role specified.