Question

我正在尝试根据此文档https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

为AWS Network ELB配置访问日志

我指定了存储桶名称和前缀，然后选择了Create this location for me

为存储桶自动生成了以下存储桶策略

{
    "Version": "2012-10-17",
    "Id": "AWSConsole-AccessLogs-Policy-xxxxxxxxxxxxx",
    "Statement": [
        {
            "Sid": "AWSConsoleStmt-xxxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket_name/prefix/AWSLogs/123456789012/*"
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket_name/prefix/AWSLogs/123456789012/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket_name"
        }
    ]
}

已创建桶，但是在AWSLogs/xxxxxxxx下未生成任何日志文件。我在这里想念什么吗？

Answer 1

来自：https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

仅当负载平衡器具有TLS侦听器时才创建访问日志并且它们仅包含有关TLS请求的信息。

Answer 2

它可能是以下三个之一：

权限错误：S3 日志传送需要访问目标桶。
权限错误：应启用存储桶以接受日志。
配置错误：不得启用 Amazon S3 对象锁定。
配置错误：如果启用加密，只有 AES256 是 supported。
仅当负载平衡器具有 TLS 侦听器并且它们仅包含有关 TLS 请求的信息时，才会创建访问日志。
留出一些时间让最近的日志配置更改生效。

进一步阅读：https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/

AWS Network Elb不生成日志

2 个答案: