USM Anywhere™

Collect ELB Access Logs

Role Availability Read-Only Analyst   Manager

Elastic Load Balancing (ELB) is an important feature in Amazon Web Services (AWS) because it automatically distributes incoming application traffic across multiple targets. AWS ELB access logs provide insight into who is accessing your web resources. They also help you identify common abuse patterns and use of automated hacking tools such as web application scanners.

USM Anywhere supports log discovery in two types of load balancers:

  • AWS Application Load Balancer: You must enable Application Load Balancer logs for every AWS ELB that you want to monitor. See the Amazon documentation to learn how to enable Application Load Balancer access logging in AWS.

  • AWS Classic Load Balancer: You must enable Classic Load Balancer logs for every AWS ELB that you want to monitor. See the Amazon documentation to learn how to enable Classic Load Balancer access logging in AWS.

Collecting AWS Application Load Balancer Access Logs

Once you have enabled Application Load Balancer access logging in AWS, you must also configure a scheduled job to monitor the Amazon Simple Storage Service (S3) bucket for the AWS Application Load Balancer. Only after this has been completed will USM Anywhere be able to automatically discovery your ELB access logs.

To create an AWS Application Load Balancer access log collection in USM Anywhere

  1. Go to Settings > Scheduler.
  2. Click New Job.
  3. Configure your new scheduled job to collect access logs
    • Action Type: Amazon Web Services
    • App Action: Monitor S3 Bucket
    • Bucket Name: The name of the S3 bucket you want to monitor
    • Path: The prefix for the path you want to monitor
    • Source Format: Specify whether the source is raw or syslog
    • Data Source: AWS Application Load Balancer
  4. Set a schedule for your new scheduled job.
  5. Click Save.

After you have enabled your new job, USM Anywhere will use this job to discover your AWS Application Load Balancer access logs on the schedule you chose. These logs will now begin generating events and you can see them in the AWS Load Balancer Dashboard.

Collecting AWS Classic Load Balancer Access Logs

The AWS Sensor automatically detects Classic Load Balancer access logs after you have enabled them in AWS. After they're enabled in AWS, all you need to do is to enable the log collection job in USM Anywhere.

To enable AWS Classic Load Balancer access log collection in USM Anywhere

  1. Go to Settings > Scheduler.
  2. In the left navigation pane, click Log Collection.

  3. Locate the Discover Elastic Load Balancer (ELB) job and click the icon.

    This turns the icon green ( ). To disable an already-enabled job, toggle the icon to its original status.

    Job Scheduler Main Page

After you have enabled log collection, USM Anywhere automatically discovers your AWS Classic Load Balancer access logs every 20 minutes. They will now begin generating events and you can see them in the AWS Load Balancer Dashboard.