All Products
Search
Document Center

Failed to collect access logs from the SLB instance

Last Updated: Sep 27, 2020

Introduction

This article describes how to troubleshoot SLB instance access logs that are not collected.

 

Background

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of instances including but not limited to Elastic Compute Service (ECS) and Relational Database Service (RDS) instances. Before the modification, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted sensitive information such as the logon account and password in the Alibaba Cloud Management Console, we recommend that you modify such information in a timely manner.

 

Check whether the access log function is enabled for the SLB instance.

Each SLB instance must be configured separately. The access logs generated after the activation are written to log service in real time.

  1. Log on to the SLB console. In the left-side navigation pane, choose log Management > access logs on the access logs (layer -7) page, confirm that the specified SLB instance exists.
  2. Make sure that the logstore in the SLS log storage corresponding to the SLB instance is saved in the correct location.
    Tips:SLS Project and Logstore of log service are displayed in the log storage column, check whether SLB logs exist in the corresponding location.

 

Check whether RAM authorization is correct.

If you are using RAM user, you are guided by the activation of the log collection function on an SLB instance. After successful authorization, log collection can be activated. If RAM roles are incorrectly created or deleted, the log collection cannot be delivered to your Logstore.

  1. Login RAM console. On the RAM roles page, check whether RAM AliyunLogArchiveRole exist.
  2. If the AliyunLogArchiveRole does not exist, log on to the Alibaba Cloud console using the primary account and click quick authorization to create the RAM roles required for authorization.
  3. If AliyunLogArchiveRole exists, click the role name, and then click policy name to check whether the policy content is correct. The default policy is as follows. If your policy has been modified, we recommend that you replace the current policy with the default policy.
    {
      "Version": "1",
      "Statement": [
        {
          "Action": [
            "log:PostLogStoreLogs"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

 

Check whether logs are generated

If you do not find any SLB access log in the log service console, it is likely that no log is generated for the SLB instance. The possible causes are as follows.

  • If the instance is not configured with layer -7 listener, log service only enables the access log feature for SLB layer -7 listener instances, and does not support log collection for layer -4 instances. Common layer -7 listener protocols are HTTP and HTTPS. For more information, see listener introduction.
  • Log service does not collect historical logs before the access log feature is enabled: After the access log feature is enabled for an SLB instance, the log feature collects logs from the time when the access log feature is enabled.
  • Specified instance has no access request: after using the access log function, access must be made to the layer -7 listener SLB instance to generate access logs.

 

Application scope

  • Log Service for WAF
  • SLB