En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

VPN Log enabled but no logs are generated

1

Hi y'all,

Recently i enabled this new feature in one of our VPN (for both Tunnels), using delagated admin account, we already create the log group but even when the tunnel its UP or when its failed for any OnPrem issue, doesnt record any activity:

https://aws.amazon.com/es/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/

This feature just record logs for any special condition in both tunnels (Static or BGP protocol used) ? or i miss something ?

Thanks and regards in advance,

Sujets
Réseaux et diffusion de contenuGestion et gouvernance
Balises
Amazon VPCRéseaux et diffusion de contenuAmazon CloudWatch
Langue
English
Karlos
demandé il y a 2 ans1647 vues
5 réponses
1
Réponse acceptée

For this issue its need to create a Support case asking for Update software version for each Tunnel Endpoints, seems its not automatically update after saved without change in tunnel Options workaorund.

Karlos
répondu il y a 2 ans
0

Hello,

Did you follow the steps outlined here; specifically the IAM section?

profile pictureAWS
EXPERT
Tushar_J
répondu il y a 2 ans
  • Karlos
    il y a 2 ans

    even when the role that i used if AdministratorAccess ? i need to create a new role and attach it to my user ?

0

Hello,

The IAM permissions should have the below permissions, despite the admin access. Can you double check on the same ?

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "S2SVPNLogging" }, { "Sid": "S2SVPNLoggingCWL", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "CloudWatch Logs log group ARN" ], "Effect": "Allow" } ] }

More Importantly: Please note that the VPN endpoints need to be upgraded to enable the feature and be on the latest software version. Please use Modify VPN connections on the console and click save without changing anything on the tunnel, so that the software can be updated for the feature to be enabled. please note that doing the same, will hamper VPN tunnel connectivity for the time the software is being updated, hence do the same action on the tunnels one by one.

profile pictureAWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
Chirag_R
répondu il y a 2 ans
  • Karlos
    il y a 2 ans

    Already check both, IAM attached is right and refresh Tunnel options by save without changing anything on the tunnel, but still doesnt write on the log group.

0

Facing the same issue, Please let me know if you got to resolve this ?

Chander
répondu il y a 2 ans
  • Karlos
    il y a 2 ans

    still persists same issue with different accounts btw.

0

Indeed, i have same policy attached to my user (admin one), and after that i refresh the endpoint as you mentioned but i doesnt see any new log created yet. btw, the only log created was this:

"Permissions are set correctly to allow AWS CloudWatch Logs to write into your logs while creating a subscription."

but anyone realted to the endpoints

Karlos
répondu il y a 2 ans

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents