Create log ingestion (OpenSearch Engine)Create log ingestion (Light Engine)

Application Load Balancer logs

Application Load Balancer access logs capture detailed information about requests sent to your load balancer. Application Load Balancer publishes a log file for each load balancer node every 5 minutes.

You can create a log ingestion into Amazon OpenSearch Service either by using the Centralized Logging with OpenSearch console or by deploying a standalone CloudFormation stack.

Important

The Elastic Load Balancing logging bucket must be the same as the Centralized Logging with OpenSearch solution.

The Amazon OpenSearch Service index is rotated on a daily basis by default, and you can adjust the index in the Additional Settings.

Create log ingestion (OpenSearch Engine)

Using the Centralized Logging with OpenSearch Console

Sign in to the Centralized Logging with OpenSearch Console.
In the navigation pane, under Log Analytics Pipelines, choose Service Log.
Choose the Create a log ingestion button.
In the AWS Services section, choose Elastic Load Balancer.
Choose Next.
Under Specify settings, choose Automatic or Manual.
- For Automatic mode, choose an Application Load Balancer in the dropdown list. (If the selected Application Load Balancer access log is not enabled, choose Enable to enable the Application Load Balancer access log.)
- For Manual mode, enter the Application Load Balancer identifier and Log location.
- (Optional) If you are ingesting logs from another account, select a linked account from the Account dropdown first.
Choose Next.
In the Specify OpenSearch domain section, select an imported domain for the Amazon OpenSearch Service domain.
Choose Yes for Sample dashboard if you want to ingest an associated templated Amazon OpenSearch Service dashboard.
You can change the Index Prefix of the target Amazon OpenSearch Service index if needed. The default prefix is the Load Balancer Name.
In the Log Lifecycle section, input the number of days to manage the Amazon OpenSearch Service index lifecycle. The Centralized Logging with OpenSearch will create the associated Index State Management (ISM) policy automatically for this pipeline.
In the Log Lifecycle section, enter the number of days to manage the Amazon OpenSearch Service index lifecycle. Centralized Logging with OpenSearch will create the associated Index State Management (ISM) policy automatically for this pipeline.
In the Select log processor section, choose the log processor.
1. When selecting Lambda as a log processor, you can configure the Lambda concurrency if needed.
2. (Optional) OSI as log processor is now supported in these Regions. When OSI is selected, type in the minimum and maximum number of OCU. See more information here.
Choose Next.
Add tags if needed.
Choose Create.

Using the CloudFormation Stack

This automated AWS CloudFormation template deploys the Centralized Logging with OpenSearch - ELB Log Ingestion solution in the AWS Cloud.

	Launch in AWS Management Console	Download Template
AWS Regions		Template
AWS China Regions		Template

Log in to the AWS Management Console and select the preceding button to launch the AWS CloudFormation template. You can also download the template as a starting point for your own implementation.
To launch the stack in a different AWS Region, use the Region selector in the console navigation bar.
On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.
On the Specify stack details page, assign a name to your solution stack.

Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following parameters.

Parameter	Default	Description
Log Bucket Name	`<Requires input>`	The S3 bucket name that stores the logs.
Log Bucket Prefix	`<Requires input>`	The S3 bucket path prefix that stores the logs.
Log Source Account ID	Optional input	The AWS Account ID of the S3 bucket. Required for cross-account log ingestion (add a member account first). By default, the Account ID you logged in at Step 1 will be used.
Log Source Region	Optional input	The AWS Region of the S3 bucket. By default, the Region you selected at Step 2 will be used.
Log Source Account Assume Role	Optional input	The IAM Role ARN used for cross-account log ingestion. Required for cross-account log ingestion (add a member account first).
KMS-CMK ARN	Optional input	The KMS-CMK ARN for encryption. Leave it blank to create a new AWS KMS key.
Enable OpenSearch Ingestion as processor	Optional input	Ingestion table ARN. Leave empty if you do not use OSI as Processor.
S3 Backup Bucket	`<Requires input>`	The S3 backup bucket name to store the failed ingestion logs.
Engine Type	`OpenSearch`	The engine type of the OpenSearch.
OpenSearch Domain Name	`<Requires input>`	The domain name of the Amazon OpenSearch Service cluster.
OpenSearch Endpoint	`<Requires input>`	The OpenSearch endpoint URL. For example, vpc-your_opensearch_domain_name-xcvgw6uu2o6zafsiefxubwuohe.us-east-1.es.amazonaws.com
Index Prefix	`<Requires input>`	The common prefix of OpenSearch index for the log. The index name will be <Index Prefix>-<Log Type>-<Other Suffix>.
Create Sample Dashboard	`Yes`	Whether to create a sample OpenSearch dashboard.
VPC ID	`<Requires input>`	Select a VPC that has access to the OpenSearch domain. The log processing Lambda will reside in the selected VPC.
Subnet IDs	`<Requires input>`	Select at least two subnets that have access to the OpenSearch domain. The log processing Lambda will reside in the subnets. Make sure that the subnets have access to the Amazon S3 service.
Security Group ID	`<Requires input>`	Select a Security Group that will be associated with the log processing Lambda. Make sure that the Security Group has access to the OpenSearch domain.
Number Of Shards	`5`	Number of shards to distribute the index evenly across all data nodes. Keep the size of each shard between 10-50 GB.
Number of Replicas	`1`	Number of replicas for OpenSearch Index. Each replica is a full copy of an index. If the OpenSearch option is set to Domain with standby, you need to configure it to 2.
Age to Warm Storage	Optional input	The age required to move the index into warm storage (for example, 7d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). This is only effective when warm storage is enabled in OpenSearch.
Age to Cold Storage	Optional input	The age required to move the index into cold storage (for example, 30d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). This is only effective when cold storage is enabled in OpenSearch.
Age to Retain	Optional input	The age to retain the index (for example, 180d). Index age is the time between its creation and the present. Supported units are d (days) and h (hours). If the value is "", the index will not be deleted.
Rollover Index Size	Optional input	The minimum size of the shard storage required to roll over the index (for example, 30GB).
Index Suffix	`yyyy-MM-dd`	The common suffix format of OpenSearch index for the log (for example, yyyy-MM-dd, yyyy-MM-dd-HH). The index name will be <Index Prefix>-<Log Type>-<Index Suffix>-000001.
Compression type	`best_compression`	The compression type to use to compress stored data. Available values are best_compression and default.
Refresh Interval	`1s`	How often the index should refresh, which publishes its most recent changes and makes them available for searching. Can be set to -1 to disable refreshing. Default is 1s.
Plugins	Optional input	List of plugins delimited by comma. Leave it blank if there are no available plugins to use. Valid inputs are user_agent, geo_ip.
EnableS3Notification	`True`	An option to enable or disable notifications for Amazon S3 buckets. The default option is recommended for most cases.
LogProcessorRoleName	Optional input	Specify a role name for the log processor. The name should NOT duplicate an existing role name. If no name is specified, a random name is generated.
QueueName	Optional input	Specify a queue name for an Amazon SQS queue. The name should NOT duplicate an existing queue name. If no name is given, a random name will be generated.

Choose Next.
On the Configure stack options page, choose Next.
On the Review and create page, review and confirm the settings. Check the box acknowledging that the template creates AWS Identity and Access Management (IAM) resources.
Choose Submit to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.

View dashboard

The dashboard includes the following visualizations.

Visualization Name	Source Field	Description
Total Requests	log event	Displays aggregated events based on a specified time interval.
Request History	log event	Presents a bar chart that displays the distribution of events over time.
Request By Target	log event target_ip	Presents a bar chart that displays the distribution of events over time and IP.
Unique Visitors	client_ip	Displays unique visitors identified by client IP address.
Status Code	elb_status_code	Displays the count of requests made to the Application Load Balancer, grouped by HTTP status codes (for example, 200, 404, 403).
Status History	elb_status_code	Shows the historical trend of HTTP status codes returned by the Application Load Balancer over a specific period of time.
Status Code Pipe	elb_status_code	Represents the distribution of requests based on different HTTP status codes using a pie chart.
Average Processing Time	request_processing_time response_processing_time target_processing_time	This visualization calculates and presents the average time taken for various operations in the Application Load Balancer.
Avg. Processing Time History	request_processing_time response_processing_time target_processing_time	Displays the historical trend of the average time-consuming of each operation returned by the Application Load Balancer within a specific period of time.
Request Verb	request_verb	Displays the count of requests made to the Application Load Balancer using a pie chart, grouped by HTTP request method names (for example, POST, GET, HEAD).
Total Bytes	received_bytes sent_bytes	Provides insights into data transfer activities, including the total bytes transferred.
Sent and Received Bytes History	received_bytes sent_bytes	Displays the historical trend of the received bytes, send bytes
SSL Protocol	ssl_protocol	Displays the count of requests made to the Application Load Balancer, grouped by SSL Protocol
Top Request URLs	request_url	The web requests view enables you to analyze the top web requests.
Top Client IPs	client_ip	Provides the top 10 IP address accessing your Application Load Balancer.
Top User Agents	user_agent	Provides the top 10 user agents accessing your Application Load Balancer.
Target Status	target_ip target_status_code	Displays the HTTP status code request count for targets in the Application Load Balancer target group.
Abnormal Requests	@timestamp client_ip target_ip elb_status_code error_reason request_verb target_status_code target_status_code_list request_url request_proto trace_id	Provides a detailed list of log events, including timestamps, client ip, and target ip.
Requests by OS	ua_os	Displays the count of requests made to the Application Load Balancer, grouped by user agent OS
Request by Device	ua_device	Displays the count of requests made to the Application Load Balancer, grouped by user agent device.
Request by Browser	ua_browser	Displays the count of requests made to the Application Load Balancer, grouped by user agent browser.
Request by Category	ua_category	Displays the count of categories made to the Application Load Balancer, grouped by user agent category (for example, PC, Mobile, Tablet).
Requests by Countries or Regions	geo_iso_code	Displays the count of requests made to the Application Load Balancer (grouped by the corresponding country or Region resolved by the client IP).
Top Countries or Regions	geo_country	Top 10 countries with the Application Load Balancer Access.
Top Cities	geo_city	Top 10 cities with Application Load Balancer Access

You can access the built-in dashboard in Amazon OpenSearch Service to view log data. For more information, see the Access Dashboard.

Application Load Balancer logs sample dashboard.

Create log ingestion (Light Engine)

Using the Centralized Logging with OpenSearch Console

Sign in to the Centralized Logging with OpenSearch Console.
In the navigation pane, under Log Analytics Pipelines, choose Service Log.
Choose the Create a log ingestion button.
In the AWS Services section, choose Elastic Load Balancer.
Choose Next.
Under Specify settings, choose Automatic or Manual for CloudFront logs enabling. The automatic mode will detect the CloudFront log location automatically.
- For Automatic mode, choose an Application Load Balancer in the dropdown list. (If the selected Application Load Balancer access log is not enabled, choose Enable to enable the Application Load Balancer access log.)
- For Manual mode, enter the Application Load Balancer identifier and Log location.
- (Optional) If you are ingesting CloudFront logs from another account, select a linked account from the Account dropdown list first.
Choose Next.
Choose Log Processing Enriched fields if needed. The available plugins are location and OS/User Agent. Enabling rich fields increases data processing latency and processing costs. By default, it is not selected.
In the Specify Light Engine Configuration section, if you want to ingest associated templated Grafana dashboards, select Yes for the sample dashboard.
You can choose an existing Grafana, or if you must import a new one, you can go to Grafana for configuration.
Select an S3 bucket to store partitioned logs and define a name for the log table. We have provided a predefined table name, but you can modify it according to your business needs.
If needed, change the log processing frequency, which is set to 5 minutes by default, with a minimum processing frequency of 1 minute.
In the Log Lifecycle section, enter the log merge time and log archive time. We have provided default values, but you can adjust them based on your business requirements.
Select Next.
If desired, add tags.
Select Create.

Using the CloudFormation Stack

This automated AWS CloudFormation template deploys the Centralized Logging with OpenSearch - CloudFront Log Ingestion solution in the AWS Cloud.

	Launch in AWS Management Console	Download Template
AWS Regions		Template
AWS China Regions		Template

Log in to the AWS Management Console and select the preceding button to launch the AWS CloudFormation template. You can also download the template as a starting point for your own implementation.
To launch the stack in a different AWS Region, use the Region selector in the console navigation bar.
On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.
On the Specify stack details page, assign a name to your solution stack.

Under Parameters, review the parameters for the template and modify them as necessary. This solution uses the following parameters.

Parameters for Pipeline settings

Parameter	Default	Description
Pipeline Id	`<Requires input>`	The unique identifier for the pipeline is essential if you must create multiple Application Load Balancer pipelines and write different Application Load Balancer logs into separate tables. For uniqueness, you can generate a unique pipeline identifier using uuidgenerator.
Staging Bucket Prefix	`AWSLogs/ALBLogs`	The storage directory for logs in the temporary storage area should ensure the uniqueness and non-overlapping of the Prefix for different pipelines.

Parameters for Destination settings

Parameter	Default	Description
Centralized Bucket Name	`<Requires input>`	Centralized S3 bucket name. For example, centralized-logging-bucket.
Centralized Bucket Prefix	`datalake`	Centralized bucket prefix. By default, the data base location is s3://{Centralized Bucket Name}/{Centralized Bucket Prefix}/amazon_cl_centralized.
Centralized Table Name	`ALB`	Table name for writing data to the centralized database. You can modify it if needed.

Parameters for Scheduler settings

Parameter	Default	Description
LogProcessor Schedule Expression	`rate(5 minutes)`	Task scheduling expression for performing log processing, with a default value of executing the LogProcessor every 5 minutes. Configuration for reference.
LogMerger Schedule Expression	`cron(0 1 * ? )`	Task scheduling expression for performing log merging, with a default value of executing the LogMerger at 1 AM every day. Configuration for reference.
LogArchive Schedule Expression	`cron(0 2 * ? )`	Task scheduling expression for performing log archiving, with a default value of executing the LogArchive at 2 AM every day. Configuration for reference.
Age to Merge	`7`	Small file retention days, with a default value of 7, indicating that logs older than 7 days will be merged into small files. It can be adjusted as needed.
Age to Archive	`30`	Log retention days, with a default value of 30, indicating that data older than 30 days will be archived and deleted. It can be adjusted as needed.

Parameters for Notification settings

Parameter	Default	Description
Notification Service	`SNS`	Notification method for alerts. If your main stack is using China, you can only choose the SNS method. If your main stack is using Global, you can choose either the SNS or SES method.
Recipients	`<Requires Input>`	Alert notification: If the Notification Service is SNS, enter the SNS Topic ARN here so that you have the necessary permissions. If the Notification Service is SES, enter the email addresses separated by commas here, ensuring that the email addresses are already Verified Identities in SES. The adminEmail provided during the creation of the main stack will receive a verification email by default.

Parameters for Dashboard settings

Parameter	Default	Description
Import Dashboards	`FALSE`	Whether to import the Dashboard into Grafana, with a default value of false. If set to true, you must provide the Grafana URL and Grafana Service Account Token.
Grafana URL	`<Requires Input>`	Grafana access URL，for example: https://alb-72277319.us-west-2.elb.amazonaws.com.
Grafana Service Account Token	`<Requires Input>`	Grafana Service Account Token：Service Account Token created in Grafana.

Choose Next.
On the Configure stack options page, choose Next.
On the Review and create page, review and confirm the settings. Check the box acknowledging that the template creates AWS Identity and Access Management (IAM) resources.
Choose Submit to deploy the stack.

You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately 10 minutes.

View dashboard

The dashboard includes the following visualizations.

Visualization Name	Source Field	Description
Filters	Filters	The following data can be filtered by query filter conditions.
Total Requests	log event	Displays aggregated events based on a specified time interval.
Unique Visitors	client_ip	Displays unique visitors identified by client IP address.
Requests History	log event	Presents a bar chart that displays the distribution of events over time.
Request By Target	log event target_ip	Presents a bar chart that displays the distribution of events over time and IP.
HTTP Status Code	elb_status_code	Displays the count of requests made to the Application Load Balancer, grouped by HTTP status codes (for example, 200, 404, 403).
Status Code History	elb_status_code	Shows the historical trend of HTTP status codes returned by the Application Load Balancer over a specific period of time.
Status Code Pie	elb_status_code	Represents the distribution of requests based on different HTTP status codes using a pie chart.
Average Processing Time	request_processing_time response_processing_time target_processing_time	This visualization calculates and presents the average time taken for various operations in the Application Load Balancer.
Avg. Processing Time History	request_processing_time response_processing_time target_processing_time	Displays the historical trend of the average time-consuming of each operation returned by the Application Load Balancer within a specific period of time.
HTTP Method	request_verb	Displays the count of requests made to the Application Load Balancer using a pie chart, grouped by HTTP request method names (for example, POST, GET, HEAD).
Total Bytes	received_bytes sent_bytes	Provides insights into data transfer activities, including the total bytes transferred.
Sent and Received Bytes History	received_bytes sent_bytes	Displays the historical trend of the received bytes, send bytes.
SSL Protocol	ssl_protocol	Displays the count of requests made to the Application Load Balancer, grouped by SSL Protocol.
Top Request URLs	request_url	The web requests view enables you to analyze the top web requests.
Top Client IPs	client_ip	Provides the top 10 IP addresses accessing your Application Load Balancer.
Bad Requests	type client_ip target_group_arn target_ip elb_status_code request_verb request_url ssl_protocol received_bytes sent_bytes	Provides a detailed list of log events, including timestamps, client IP, and target IP.
Requests by OS	ua_os	Displays the count of requests made to the Application Load Balancer, grouped by user agent OS.
Requests by Device	ua_device	Displays the count of requests made to the Application Load Balancer, grouped by user agent device.
Requests by Browser	ua_browser	Displays the count of requests made to the Application Load Balancer, grouped by user agent browser.
Requests by Category	ua_category	Displays the count of categories made to the Application Load Balancer, grouped by user agent category (for example, PC, Mobile, Tablet).
Requests by Countries or Regions	geo_iso_code	Displays the count of requests made to the Application Load Balancer (grouped by the corresponding country or Region resolved by the client IP).
Top Countries or Regions	geo_country	Top 10 countries with the Application Load Balancer Access.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Lambda logs

AWS WAF logs