AWS Network Elb不生成日志

时间:2019-04-17 18:47:42

标签: amazon-web-services amazon-s3 amazon-elb

我正在尝试根据此文档https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

为AWS Network ELB配置访问日志

我指定了存储桶名称和前缀,然后选择了Create this location for me

为存储桶自动生成了以下存储桶策略

{
    "Version": "2012-10-17",
    "Id": "AWSConsole-AccessLogs-Policy-xxxxxxxxxxxxx",
    "Statement": [
        {
            "Sid": "AWSConsoleStmt-xxxxxxxxxxxxx",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket_name/prefix/AWSLogs/123456789012/*"
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket_name/prefix/AWSLogs/123456789012/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::bucket_name"
        }
    ]
}

已创建桶,但是在AWSLogs/xxxxxxxx下未生成任何日志文件。我在这里想念什么吗?

2 个答案:

答案 0 :(得分:2)

来自:https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

仅当负载平衡器具有TLS侦听器时才创建访问日志 并且它们仅包含有关TLS请求的信息。

答案 1 :(得分:0)

它可能是以下三个之一:

  • 权限错误:S3 日志传送需要访问目标 桶。
  • 权限错误:应启用存储桶以接受日志。
  • 配置错误:不得启用 Amazon S3 对象锁定。
  • 配置错误:如果启用加密,只有 AES256 是 supported
  • 仅当负载平衡器具有 TLS 侦听器并且它们仅包含有关 TLS 请求的信息时,才会创建访问日志。
  • 留出一些时间让最近的日志配置更改生效。

进一步阅读:https://aws.amazon.com/premiumsupport/knowledge-center/s3-server-access-log-not-delivered/