Access Logs
BNS Load Balancing service provides an Access Log feature that captures detailed information about requests sent to the user's load balancer. Access logs can be used for analyzing traffic patterns and troubleshooting. The information collected varies depending on whether it is a Network Load Balancer (NLB)/Direct Server Return Network Load Balancer (DSRNLB) or an Application Load Balancer (ALB). For more details, refer to collected information.
The Access Log is an 'optional' feature, and by default, it is set to 'inactive.' Once enabled for the load balancer, logs are captured and stored in a compressed file in the specified bucket. Access logs can be deactivated at any time.
When the Access Log feature is enabled, storage fees will apply. However, no networking fees are charged for transmitting log files. For more information about storage costs, refer to the pricing guide.
Access log files
When the Access Log feature is enabled, BNS Load Balancing service posts log files for each ALB or NLB/DSRNLB every 30 minutes. The log file name uses the following format:
{use-_bucket-name}/KCLogs/{region-name}/yyyy/mm/dd/{az-name}_{project-id}_{lb-type}_{load-balancer-id}_{end-time}_{ip-address}.log.gz
| Element | Description |
|---|---|
{user_bucket_name} | Name of the bucket where the access log is stored |
| KCLogs | Default prefix |
{region_name} | Region name of the load balancer and the bucket |
| yyyy/mm/dd | Date the log was delivered |
{az_name} | Availability zone of the load balancer |
{project_id} | Project ID of the load balancer |
{lb_type} | Load balancer type - Network Load Balancer: nlb- Application Load Balancer: alb- Direct Server Return Network Load Balancer: dsrnlb |
{load_balancer_id} | Resource ID of the load balancer |
{end_time} | Date and time marking the end of the logging interval |
{ip_address} | IP address of the load balancer handling the request |
You can store log files in the bucket for the desired period. Additionally, you can specify the log file retention period using the bucket policy Lifecycle settings. For more details, refer to the Object Storage > Lifecycle Settings document.
Access log fields
The fields of the access log entries for KakaoCloud Load Balancing service are explained in order. The access log fields differ based on whether it is NLB or ALB, and all fields are separated by commas.
Application Load Balancer fields
| Field | Description |
|---|---|
| project_id | Project ID |
| time | Time the load balancer generated the response for the client |
| lb_id | Resource ID of the load balancer |
| client_port | IP address and port of the client making the request |
| target_port | IP address and port of the target in the target group |
| target_status_code | Response status code of the target - This value is recorded only if the connection to the target is established and the target sends a response |
| request | HTTP method and request target - HTTP method: Defines the action to perform on the given resource, e.g., GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH- Request target: The absolute path of the URL, protocol, port, and domain, which changes based on the HTTP method |
| user_agent | User agent string identifying the client that sent the request |
| ssl_cipher | SSL cipher information |
| ssl_protocol | SSL protocol information |
| request_creation_time | Time the load balancer received the request from the client |
Network Load Balancer and Direct Server Return Network Load Balancer Fields
| Field | Description |
|---|---|
| project_id | Project ID |
| time | Time the load balancer generated the response for the client |
| lb_id | Resource ID of the load balancer |
| listener_id | Resource ID of the listener for the connection |
| client_port | IP address and port of the client making the request |
| destination_port | IP address and port of the target - If the client directly connects to the load balancer: listener - If the client connects via VPC endpoint services: VPC endpoint |
| tls_cipher | Reserved field |
| tls_protocol_version | Reserved field |
Bucket requirements
When enabling the access log, you must specify a bucket from Object Storage for storing the logs. The bucket where the access log is stored must meet the following requirements:
Requirements
- The bucket must be in the same region as the load balancer.
Access key requirements
When enabling the access log, you must select an access key ID and the associated secret access key. The secret access key can be obtained when issuing the access key. The created access key must not have an expiration date specified.
Enable and disable access logs
To enable or disable access logs for a load balancer from the console, refer to the following documents:
- Application Load Balancer > Access Log Settings
- Network Load Balancer > Access Log Settings
- Direct Server Return Network Load Balancer > Access Log Settings
Process access log files
Access log files are stored in compressed files. When downloading the file, you need to unzip it to view the information.
Set bucket encryption for access logs
You can decide whether to encrypt the access logs before storing them in the bucket. For security, it is recommended to enable encryption.