By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

I want the logs for my NLB, but the protocol I'm using is TCP, so is there any way by which I can export the logs of that NLB to S3 using the TCP protocol only?

0

I want the logs for my NLB, but the protocol I'm using is TCP, so is there any way by which I can export the logs of that NLB to S3 using the TCP protocol only?

Tags
Network Load Balancer
Language
English
Prathamesh
asked 5 months ago324 views
1 Answer
0

Hi,

The only logs you can get from the NLB is if it configured as TLS listener.

Access logs are created only if the load balancer has a TLS listener and they contain information only about TLS requests.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html

Another option is to use VPC Flow Logs:

VPC Flow Logs You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Network Load Balancer. For more information, see VPC flow logs in the Amazon VPC User Guide.

Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet. To identify the network interfaces for a Network Load Balancer, look for the name of the load balancer in the description field of the network interface.

There are two entries for each connection through your Network Load Balancer, one for the frontend connection between the client and the load balancer and the other for the backend connection between the load balancer and the target. If the target group's client IP preservation attribute is enabled, the connection appears to the instance as a connection from the client. Otherwise, the connection's source IP is the load balancer's private IP address. If the security group of the instance doesn't allow connections from the client but the network ACLs for the load balancer subnet allow them, the logs for the network interface for the load balancer show "ACCEPT OK" for the frontend and backend connections, while the logs for the network interface for the instance show "REJECT OK" for the connection.

If a Network Load Balancer has associated security groups, your flow logs contain entries for traffic that is allowed or rejected by the security groups. For Network Load Balancers with TLS listeners, your flow logs entries reflect only the rejected entries.

profile picture
EXPERT
Dmytro Sirant
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed 5 months ago
  • Prathamesh
    5 months ago

    We want the target response time of each request coming on the NLB, and that can't be found in VPC flow logs.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content