Configuring Logging for a Bucket¶
Functions¶
When a bucket is created, the logging function is not enabled by default. To generate logs recording operations on buckets, you need to enable the logging function for the bucket. After the logging function is enabled, a log is generated for each operation on a bucket and multiple logs are packed into a log file. When enabling the logging function, you need to specify a location where log files are stored. They can be stored in the bucket for which the logging is enabled, or in other buckets that you have the required permissions. However, the bucket where log files are stored and the bucket for which the logging is enabled must be in the same region.
Log files are generated by OBS and uploaded to the bucket where logs are stored. Therefore, OBS needs to be authorized to upload generated log files. Before configuring the logging function, you need to create an agency for OBS in IAM, the agency name is configured as a parameter of the bucket, and the logging function must be configured under the LoggingEnabled tag in the XML file. You only need to authorize the agency with the upload permissions for the target bucket.
Example of agency permissions¶
{
"Version": "1.1",
"Statement": [
{
"Action": [
"obs:object:PutObject"
],
"Resource": [
"OBS:*:*:object:mybucketlogs/*"
],
"Effect": "Allow"
}
]
}
To disable the bucket logging function, upload a logging file with an empty BucketLoggingStatus tag.
By default, a bucket whose storage class is Warm or Cold cannot be used for storing log files. Stored log files occupy storage space in a bucket. Therefore, users are charged for the logging service based on the pricing for data storage.
Caution
If the target bucket has KMS encryption enabled, grant the agency access to KMS.
Request Syntax¶
PUT /?logging HTTP/1.1
Host: bucketname.obs.region.example.com
Date: date
Authorization: signatureValue
<?xml version="1.0" encoding="UTF-8"?>
<BucketLoggingStatus>
<Agency>agency-name</Agency>
<LoggingEnabled>
<TargetBucket>mybucketlogs</TargetBucket>
<TargetPrefix>mybucket-access_log-/</TargetPrefix>
<TargetGrants>
<Grant>
<Grantee>
<ID>domainID</ID>
</Grantee>
<Permission>READ</Permission>
</Grant>
</TargetGrants>
</LoggingEnabled>
</BucketLoggingStatus>
Request Parameters¶
This request contains no message parameters.
Request Headers¶
This request uses common headers. For details, see Table 3.
Request Elements¶
Element | Description | Mandatory |
---|---|---|
BucketLoggingStatus | Container for logging status information Type: container | Yes |
Agency | Name of the IAM agency created by the owner of the target bucket on IAM. Type: string | Yes only when you need to enable the logging function |
LoggingEnabled | Container for logging information. Present this element when enabling the logging function. Otherwise, absent it. You can add specific logging information in this element. Type: container | Yes only when you need to enable the logging function |
Grant | Container for the grantee and the grantee's logging permissions. It describes who has the permission to access the generated log files. Type: container | No |
Grantee | Container for the user that is granted with the logging permission. Type: container | No |
ID | Account ID of the authorized user, which is globally unique. Type: string | No |
Permission | Permissions of the grantee to the generated logs. Type: string Value options: FULL_CONTROL, READ, WRITE | No |
TargetBucket | When enabling the logging function, the owner of the bucket being logged can specify a target bucket to store the generated log files. Ensure that the bucket owner who configures the logging function has the FULL_CONTROL permission for the bucket that stores log files. Log files generated for multiple buckets can be stored in the same target bucket. If you do so, you need to specify different TargetPrefixes to classify logs for different buckets. Type: string | Yes only when you need to enable the logging function |
TargetPrefix | You can specify a prefix using this element so that log files are named with this prefix. Type: string | Yes only when you need to enable the logging function |
TargetGrants | Container for granting information. Type: container | No |
Naming rules for access logs¶
<TargetPrefix>YYYY-mm-DD-HH-MM-SS-<UniqueString>
<TargetPrefix> is the log name prefix specified by the user.
YYYY-mm-DD-HH-MM-SS indicates the date and time when the log is generated.
<UniqueString> indicates a character string generated by OBS.
The following is an example of a log file name:
bucket-log2015-06-29-12-22-07-N7MXLAF1BDG7MPDV
bucket-log is the target prefix specified by the user.
2015-06-29-12-22-07 indicates the time when the log is generated.
N7MXLAF1BDG7MPDV is a string automatically generated by OBS
Format of bucket access logs¶
The following shows an access log delivered to the target bucket:
787f2f92b20943998a4fe2ab75eb09b8 bucket [13/Aug/2015:01:43:42 +0000] xx.xx.xx.xx 787f2f92b20943998a4fe2ab75eb09b8 281599BACAD9376ECE141B842B94535B REST.GET.BUCKET.LOCATION - "GET /bucket?location HTTP/1.1" 200 - 211 - 6 6 "-" "HttpClient" - -
Each access log contains the following information:
Parameter | Example | Description |
---|---|---|
BucketOwner | 787f2f92b20943998a4fe2ab75eb09b8 | ID of the bucket owner |
Bucket | bucket | Bucket name |
Time | [13/Aug/2015:14:43:42 +0000] | Request timestamp in the [dd/MMM/yyyy:HH:mm:ss Z] format |
Remote IP | xx.xx.xx.xx | Request IP address |
Requester | 787f2f92b20943998a4fe2ab75eb09b8 | ID of the requester
|
RequestID | 281599BACAD9376ECE141B842B94535B | Request ID |
Operation | REST.GET.BUCKET.LOCATION | Operation |
Key |
| Object name |
Request-URI | GET /bucket?location HTTP/1.1 | Request URI |
HTTPStatus | 200 | Response code |
ErrorCode |
| Error code |
BytesSent | 211 | Size of the HTTP response, expressed in bytes |
ObjectSize |
| Object size |
TotalTime | 6 | Processing time on the server Unit: ms |
Turn-AroundTime | 6 | Total request processing time Unit: ms |
Referer |
| Referer header of the request |
User-Agent | HttpClient | User-Agent header of the request |
VersionID |
| Version ID contained in a request |
STSLogUrn |
| Federated authentication and agency information |
StorageClass | STANDARD_IA | Current object storage class |
TargetStorageClass | GLACIER | Storage class that the object will be transitioned to |
DentryName | 12456%2Ffile.txt |
|
Response Syntax¶
HTTP/1.1 status_code
Date: date
Content-Length: length
Response Headers¶
The response to the request uses common headers. For details, see Table 1.
Response Elements¶
This response contains no elements.
Error Responses¶
No special error responses are returned. For details about error responses, see Table 2.
Sample Request¶
PUT /?logging HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.example.com
Accept: */*
Date: WED, 01 Jul 2015 02:40:06 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mCOjER/L4ZZUY9qr6AOnkEiwvVk=
Content-Length: 528
<?xml version="1.0" encoding="UTF-8"?>
<BucketLoggingStatus>
<Agency>agencyGrantPutLogging</Agency>
<LoggingEnabled>
<TargetBucket>log-bucket</TargetBucket>
<TargetPrefix>mybucket-access_log-/</TargetPrefix>
<TargetGrants>
<Grant>
<Grantee>
<ID>783fc6652cf246c096ea836694f71855</ID>
</Grantee>
<Permission>READ</Permission>
</Grant>
</TargetGrants>
</LoggingEnabled>
</BucketLoggingStatus>
Sample Response¶
HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643663CE53B6AF31C619FD
x-obs-id-2: 32AAAQAAEAABSAAkpAIAABAAAQAAEAABCT9CjuOx8cETSRbqkm35s1dL/tLhRNdZ
Date: WED, 01 Jul 2015 02:40:06 GMT
Content-Length: 0