Delivery of Server Access Logs

Amazon Simple Storage Service: 2006-03-01

previous page next page

Delivery of Server Access Logs

[Important]Important

This section describes Beta functionality that is subject to change in future releases. Please provide feedback on this functionality in the

Amazon S3 Developer Forum.

Server access logs are written to the bucket of your choice, which can be the bucket from which the logs originate or a different bucket. If you choose a different bucket, it must have the same owner as the source bucket. Otherwise, no logs will be delivered.

[Note] Note

The source and the target buckets must be in the same location. For more information about bucket location constraints, see How to Select a Region for Your Buckets.

When a log file is delivered to the target bucket, it is stored under a key in the following format. 


    TargetPrefixYYYY-mm-DD-HH-MM-SS-UniqueString

In the key, YYYY, mm, DD, HH, MM and SS are the digits of the year, month, day, hour, minute, and seconds (respectively) when the log file was delivered.

A log file delivered at a specific time can contain records written at any point before that time. There is no way to know whether all log records for a certain time interval have been delivered or not.

The TargetPrefix component of the key is a string provided by the bucket owner using the logging configuration API. For more information, see Server Access Logging Configuration API.

The UniqueString component of the key carries no meaning and should be ignored by log processing software.

The system does not delete old log files. If you do not want server logs to accumulate, you must delete them yourself. To do so, use the List operation with the prefix parameter to locate old logs to delete. For more information, see Listing Keys.

Access Control Interaction

Log files will be written to the target bucket under the identity of a member of the http://acs.amazonaws.com/groups/s3/LogDelivery group. These writes are subject to the usual access control restrictions. Therefore, logs will not be delivered unless the access control policy of the target bucket grants the log delivery group WRITE access. To ensure log files are delivered correctly, the log delivery group must also have READ_ACP permission on the target bucket. For more information about access control lists and groups, see Authentication and Access Control. For more information about correctly configuring your target bucket's access control policy, see the Setting Up Server Access Logging.

Log files created in the target bucket have an access control list entry that consists of a FULL_CONTROL grant to the bucket owner and grants to any users specified through the TargetGrants element.

Best Effort Server Log Delivery

The server access logging feature is designed for best effort. You can expect that most requests against a bucket that is properly configured for logging will result in a delivered log record, and that most log records will be delivered within a few hours of the time that they were recorded.

However, the server logging feature is offered on a best-effort basis. The completeness and timeliness of server logging is not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all. The purpose of server logs is to give the bucket owner an idea of the nature of traffic against his or her bucket. It is not meant to be a complete accounting of all requests.

Usage Report Consistency

It follows from the best-effort nature of the server logging feature that the usage reports available at the AWS portal might include usage that does not correspond to any request in a delivered server log.

previous page start next page