Access Logging
Access Logging is a feature that records requests performed on Object Storage buckets for use in security auditing and access analysis.
Understand and use access logging
When the Access Logging feature is enabled, detailed records of requests performed on an Object Storage bucket are logged. These logs can be used for purposes such as security and access auditing or analyzing client requests to the bucket.
For details on how to enable access logging, refer to Configure access logging.
Access logs record each request as a single entry, with each field separated by a space. If a value does not exist or is unknown, it is represented by a -.
Detailed explanations of each field can be found in Log record fields.
Bucket role permissions for log transfer
Logs are stored from the source bucket to the destination bucket using credentials of the Object Storage Agent service account.
To ensure logs are stored properly, the destination bucket must grant the Object Storage Agent account the storage.buckets.get and storage.buckets.update permissions for the Object Storage role.
The Object Storage Agent account is a service account with the IAM Project Member role.
When a bucket is created, the IAM Project Member group is granted the storage editor role by default, allowing logs to be transferred without additional configuration.
When logs are transferred from the source bucket to the destination bucket, entries are recorded and stored within a few hours after a request is made. However, if the logging status of the bucket is changed, updates are not applied immediately but reflected gradually over time. Log transfer may also be delayed or not guaranteed depending on usage and system conditions. Therefore, it is important to verify log transfer results.
If the Project Member group is removed from the destination bucket's permissions, the Object Storage Agent account in that group will lose its storage editor role and will not be able to store logs. In this case, you must add the Object Storage Agent service account with at least the storage editor role as shown below.
Add Object Storage Agent role
Log object key format
Access logs are created using the following object key formats:
- SimplePrefix:
DestinationPrefixYYYY-MM-DD-hh-mm-ss-UniqueString - PartitionedDateSource:
DestinationPrefixSourceAccountId/SourceRegion/SourceBucket/YYYY/MM/DD/YYYY-MM-DD-hh-mm-ss-UniqueString
- Object key format details:
YYYY,MM,DD,hh,mm,ss: year, month, day, hour, minute, second (in UTC)DestinationPrefix: destination prefixProjectID: project IDSourceRegion: region nameSourceBucket: source bucketUniqueString: identifier string for the object key
UniqueString prevents logs from being overwritten.
Log record fields
The following describes the log record fields recorded in the access logs.
Domain ID
The customer's domain ID. This value is recorded in the domain_id field.
e.g.) 327373ec52974577a79a5e26b26c27e9
Project ID
The project ID under the customer's domain. This value is recorded in the project_id field.
e.g.) ca7f6c731a004091a32d4eb97ec17271
Bucket name
The name of the bucket that processed the request. This value is recorded in the bucket field.
e.g.) Kakao-bucket
Bucket owner ID
The owner ID of the source bucket. This value is recorded in the bucket_owner field.
e.g.) 54ba02ba408d4968a35686e48db85ea8
Time
The time the request was made to the bucket. This value is recorded in the time field and uses the format [%d/%B/%Y:%H:%M:%S %z].
- %d: two-digit day
- %B: abbreviated month name (e.g., May)
- %Y: four-digit year
- %H: two-digit hour
- %M: two-digit minute
- %S: two-digit second
- %z: UTC offset The time is recorded in UTC.
e.g.) 16/May/2024:08:20:05 +0000
Remote IP
The IP address of the client making the request. This value is recorded in the remote_ip field.
e.g.) 127.0.0.1
User ID
The requester ID. This value is recorded in the user_id field. For public access without a separate authentication token, the value is recorded as -.
e.g.) 0e26ca49d2ca4bbfbd85e5901545c796
Request ID
An ID generated to identify the request. This value is recorded in the request_id field.
e.g.) tx000008b923132a7716acd-0065795106-8fb2f-kr-central-2
Operation
The operation is recorded in the operation field and expressed as [REST.{HTTP_method}.{resource_type}].
Objects deleted through lifecycle policy are not logged.
e.g.) REST.POST.OBJECT
Object key
The key of the object being requested. This value is recorded in the key field.
e.g.) /Image/kakaocloud/ryan.jpg
Request URI
The Request-URI from the HTTP request message. This value is recorded in the request_uri field.
e.g.) /v1/1b5e24ba80104e9f9aecd2bcfeb7da2/object-reg-test-1/mulit-object?uploads
HTTP status
The HTTP status code of the response. This value is recorded in the http_status field.
e.g.) 200
Error code
Object Storage-specific error code. This value is recorded in the error_code field.
If there is no error, it is recorded as -.
(Only recorded for S3 API calls.)
e.g.) -
Request body size
Number of bytes received in the request. This value is recorded in the request_body_size field.
e.g.) 2662992
Response body size
Number of response bytes sent, excluding HTTP protocol overhead. This value is recorded in the response_body_size field.
e.g.) 5432290
Object size
Total size of the object. This value is recorded in the object_size field.
e.g.) 7452918
Total time
The time consumed by Object Storage to process the request, in milliseconds. This value is recorded in the total_time field.
Measured from the time the request bytes are received to the time the final response byte is sent.
e.g.) 253.507608ms
HTTP referer
Value of the HTTP referer header. This value is recorded in the http_referer field.
If none, recorded as -.
Browsers typically set this to the URL of the referring or embedding page.
e.g.) http://www.example.com/webservices
User-Agent
Value of the HTTP User-Agent header. This value is recorded in the user_agent field.
e.g.) Apache-httpClient/4.5.14 (java/17.0.9)
Version ID
Version ID of the object being copied. This value is recorded in the version_id field.
If not available, recorded as -.
(Currently, versioning is not supported.)
e.g.) -
Host ID
ID of the host machine that processed the request, recorded in encrypted form. This value is recorded in the host_id field.
e.g.) s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=
Protocol
The API protocol used for the Object Storage request. This value is recorded in the protocol field.
Supports both [S3] and [Swift] APIs.
e.g.) S3
Authentication type
Type of authentication used in the request. This value is recorded in the authentication_type field.
AuthHeader for header-based authentication, QueryString for presigned URL, and - for unauthenticated requests.
e.g.) AuthHeader
Host header
The endpoint of Object Storage. This value is recorded in the host field.
e.g.) objectstorage.kr-central-2.kakaocloud.com