search

AWS ALB Access Logs

hashtag
Overview

AWS Application Load Balancer (ALB) access logs provide detailed information about incoming HTTP/HTTPS requests, including timestamps, client IP addresses, requested URLs, response codes, and user-agent details. These logs aid in monitoring traffic patterns, troubleshooting issues, and analyzing application performance within AWS infrastructure.

The volume of ALB Access Logs scales linearly with increase in network traffic to the ALB. As a result, it becomes expensive to store and process full fidelity of network logs. Observo helps optimize ALB Access logs allowing you to save costs in processing ALB logs while also increasing signal in existing logs.

hashtag
Event Structure

Observo support parsing of ALB logs using the "AWS ALB Logs Parser" transform. This allows translation of to a much richer and structured format. The format of logs after processing by the above transforms is as follows:

{
  "actions_executed": "forward",
  "chosen_cert_arn": null,
  "classification": null,
  "classification_reason": null,
  "client_host": "192.168.10.11:2001",
  "domain_name": null,
  "elb": "test-alb/28nb1j581626",
  "elb_status_code": "200",
  "error_reason": null,
  "matched_rule_priority": "1",
  "received_bytes": 20,
  "redirect_url": null,
  "request_creation_time": "2023-11-10T10:12:32.371000Z",
  "request_method": "POST",
  "request_processing_time": 0,
  "request_protocol": "HTTP/1.1",
  "request_url": "http://www.request.com:80/",
  "response_processing_time": 0,
  "sent_bytes": 300,
  "ssl_cipher": null,
  "ssl_protocol": null,
  "target_group_arn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:targetgroup/test-tg/271nmasb2374b",
  "target_host": null,
  "target_port_list": [],
  "target_processing_time": 0.02,
  "target_status_code": "200",
  "target_status_code_list": [],
  "timestamp": "2023-11-10T10:12:32.381000Z",
  "trace_id": "Root=1-18726361-12jkbn258972n1",
  "type": "http",
  "user_agent": "test-agent"
}

hashtag
Aggregate Repetitive Logs

A large contribution of log volume usually stems from a small number of hosts. Further, hosts tend to send bursts of events in a short window of time. Using Observo's Reduce transform, we can aggregate repetitive logs that originate from the same source within a short period of time.

Create a Reduce transform in your pipeline with the following configuration:

Max Events: 10

Batch Flush Timeout (seconds): 30

Reduce Conditions:

Group By:

Reduction Methods:

PreviousOptimization PlaybooksNextEKS Logs

Last updated

Was this helpful?