Introduction To Elastic Load Balancing Log Files
The Amazon Elastic Load Balancing (ELB) format is produced by Amazon’s ELB servers. It’s not possible to configure this format, it’s set in stone by Amazon. It provides all the fields supported by the Log File Analyser except for Referer. So if you’re dealing with an ELB log, you won’t see any information in any of the Referers columns, and the Referers tab will be of no use.
The format of each line is as follows:
timestamp elb client:port backend:port request_processing_time backend_processing_time response_processing_time elb_status_code backend_status_code received_bytes sent_bytes "request" "user_agent" ssl_cipher ssl_protocol
The values space delimited, with values that contain quotes, such as the user_agent, quoted to aid parsing.
Here’s an example log line:
2017-01-01T09:00:00.00 my-elb 188.8.131.52:2817 10.0.0.1:80 0.000500 0.000500 0.000057 200 200 0 29 "GET https://www.example.com:443/contact.html HTTP/1.1" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" DHE-RSA-AES128-SHA TLSv1.2
Reading the line from left to right we have:
- The timestamp, in ISO 8601 format
- The name of the ELB instance serving the request
- The remote IP and port making the request
- The local IP and port serving the request
- The time taken by the load balancer to serve the request
- The time taken from when the load balancer sent the request to a registered instance until the instance started to send the response headers
- The total time take to process the request
- The response code sent by the load balancer
- The response code sent by the instance
- The size, in bytes, of the request
- The size, in bytes, of the response
- The HTTP request line
- The User Agent making the request
- The ssl cipher used (https only)
- The ssl protocol used (https only)
Download a 1,000 line example here.
Unlike Apache and W3C log files, the domain is always present, so you’ll never be asked to provide the protocol and/or domain when importing an ELB log.