By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

VPN Log enabled but no logs are generated

1

Hi y'all,

Recently i enabled this new feature in one of our VPN (for both Tunnels), using delagated admin account, we already create the log group but even when the tunnel its UP or when its failed for any OnPrem issue, doesnt record any activity:

https://aws.amazon.com/es/about-aws/whats-new/2022/08/aws-site-vpn-connection-logs-amazon-cloudwatch/

This feature just record logs for any special condition in both tunnels (Static or BGP protocol used) ? or i miss something ?

Thanks and regards in advance,

Topics
Networking & Content DeliveryManagement & Governance
Tags
Amazon VPCNetworking & Content DeliveryAmazon CloudWatch
Language
English
Karlos
asked 2 years ago1617 views
5 Answers
1
Accepted Answer

For this issue its need to create a Support case asking for Update software version for each Tunnel Endpoints, seems its not automatically update after saved without change in tunnel Options workaorund.

Karlos
answered 2 years ago
0

Hello,

Did you follow the steps outlined here; specifically the IAM section?

profile pictureAWS
EXPERT
Tushar_J
answered 2 years ago
  • Karlos
    2 years ago

    even when the role that i used if AdministratorAccess ? i need to create a new role and attach it to my user ?

0

Hello,

The IAM permissions should have the below permissions, despite the admin access. Can you double check on the same ?

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogDelivery", "logs:GetLogDelivery", "logs:UpdateLogDelivery", "logs:DeleteLogDelivery", "logs:ListLogDeliveries" ], "Resource": [ "*" ], "Effect": "Allow", "Sid": "S2SVPNLogging" }, { "Sid": "S2SVPNLoggingCWL", "Action": [ "logs:PutResourcePolicy", "logs:DescribeResourcePolicies", "logs:DescribeLogGroups" ], "Resource": [ "CloudWatch Logs log group ARN" ], "Effect": "Allow" } ] }

More Importantly: Please note that the VPN endpoints need to be upgraded to enable the feature and be on the latest software version. Please use Modify VPN connections on the console and click save without changing anything on the tunnel, so that the software can be updated for the feature to be enabled. please note that doing the same, will hamper VPN tunnel connectivity for the time the software is being updated, hence do the same action on the tunnels one by one.

profile pictureAWS
SUPPORT ENGINEER
Chirag_R
answered 2 years ago
  • Karlos
    2 years ago

    Already check both, IAM attached is right and refresh Tunnel options by save without changing anything on the tunnel, but still doesnt write on the log group.

0

Facing the same issue, Please let me know if you got to resolve this ?

Chander
answered 2 years ago
  • Karlos
    2 years ago

    still persists same issue with different accounts btw.

0

Indeed, i have same policy attached to my user (admin one), and after that i refresh the endpoint as you mentioned but i doesnt see any new log created yet. btw, the only log created was this:

"Permissions are set correctly to allow AWS CloudWatch Logs to write into your logs while creating a subscription."

but anyone realted to the endpoints

Karlos
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content