Configure a CLB access log - Server Load Balancer - Alibaba Cloud Documentation Center

This topic describes how to configure an access log for a Classic Load Balancer (CLB) instance. If you use CLB Layer 7 listeners, you can use the access log data to debug errors, locate issues, and analyze user behaviors. CLB is interfaced with Simple Log Service, which can record and store access logs of CLB to help you efficiently analyze log data and locate errors.

Limits

Only Layer 7 CLB listeners, including HTTP and HTTPS listeners, support access logs.

Prerequisites

A CLB instance is created. For more information, see Create and manage a CLB instance.
A vServer group is created. For more information, see Create and manage a vServer group. Backend servers are added to the vServer group, and applications are deployed on the backend servers.
An HTTP or HTTPS listener is created for the CLB instance. For more information, see Add an HTTP listener and Add an HTTPS listener.
Simple Log Service is activated. For more information, see Activate Simple Log Service.

Configure an access log

Log on to the CLB console.
In the left-side navigation pane, choose Logs > Access Log.
In the top navigation bar, select the region in which the CLB instance is deployed.
The first time you use the access log feature, you must grant the required permissions to your account. Click Authorize Now. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy.
Note
You only need to perform the authorization once.
If you use a Resource Access Management (RAM) user, you must acquire the permissions from your Alibaba Cloud account. For more information, see Authorize a RAM user to use the access log feature.
On the Access Logs (Layer-7) page, find the CLB instance that you want to manage and click Configure in the Actions column.

In the Log Settings panel, configure the Project and Logstore parameters and click OK.

Project: used to isolate and manage resources in Simple Log Service.
Logstore: used to collect, store, and query log data in Simple Log Service.

Note

Make sure that the name of the project is unique and the region of the project is the same as that of the CLB instance.

After the access log is enabled, you can query and search for log data by using the fields listed in the following table.

Field	Description
body_bytes_sent	The size of the HTTP response body. Unit: bytes.
client_ip	The client IP address.
client_port	The port number of the client that sends the request.
host	By default, the value is retrieved from the request parameters. If the host is not specified in the request parameters, the system retrieves the value from the Host header. If this value cannot be retrieved from the request parameters or the Host header, the IP address of the backend server is used.
http_host	The Host header of the HTTP request.
http_referer	The Referer header of the HTTP request received by CLB.
http_user_agent	The Http_User_Agent header of the HTTP request.
http_x_forwarded_for	The X-Forwarded-For header of the HTTP request.
http_x_real_ip	The real client IP address.
read_request_time	The amount of time that CLB takes to process the request. Unit: milliseconds.
request_length	The length of the request, including the start line, request headers, and the request body.
request_method	The request method.
request_time	The time duration between when CLB receives the first request and when CLB returns the response. Unit: seconds.
request_uri	The URI of the request received by CLB.
scheme	The scheme of the request. Valid values: HTTP and HTTPS.
server_protocol	The version of the HTTP protocol that is received by CLB. For example, HTTP/1.0 or HTTP/1.1.
slb_vport	The listener port of the CLB instance.
slbid	The ID of the CLB instance.
ssl_cipher	The cipher suite used to establish an SSL connection. Example: ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol	The protocol that is used to establish an SSL connection, for example, TLS 1.2.
status	The status of the response returned by CLB.
tcpinfo_rtt	The amount of time that is taken to establish a TCP connection. Unit: milliseconds.
time	The time when the log entry was generated.
upstream_addr	The IP address and port of the backend server.
upstream_response_time	The amount of time from when a connection is established to when the connection is closed. Unit: seconds.
upstream_status	The HTTP status code sent from a backend server to CLB.
vip_addr	The virtual IP address.
write_response_time	The amount of time that is taken to respond to the write request. Unit: milliseconds.

Query access log data

After you enable the access log feature, you can query access log data in the CLB console or the Log Service console.

Log on to the CLB console.
In the left-side navigation pane, choose Logs > Access Log.
In the top navigation bar, select the region in which the CLB instance is deployed.
On the Access Log (Layer 7) page, find the CLB instance that you want to manage and click View Logs in the Actions column.
Log entries are generated when clients access CLB. You can view the log data in Simple Log Service.
Enter an SQL statement to query specified log data.
For example, you can enter the following SQL statement to query the top 20 most active clients. You can analyze the request sources and make informed business decisions.
```
* | select http_user_agent, count(*) as pv group by http_user_agent order by pv desc limit 20
```

Analyze access log data

The Simple Log Service dashboards display log data in multiple dimensions. You can use the dashboards to analyze access log data.

On the page of the project that your CLB instance uses, move your pointer over the icon in the left-side navigation pane and click Dashboards.
Click the name of the access log, such as slb_layer7_access_center_en, to view log data.

Disable access logs

If you no longer need to collect access data of your CLB instance, you can disable access logs.

Note

The log project and Logstore as well as historical logs are not deleted after you disable access logs for your CLB instance. You can still access the data in Simple Log Service.

Log on to the CLB console.
In the left-side navigation pane, choose Logs > Access Log.
In the top navigation bar, select the region in which the CLB instance is deployed.
On the Access Logs (Layer-7) page, find the instance that you want to manage and click Disable Logging in the Actions column.
In the message that appears, click OK.

References

For more information about Simple Log Service, see What is Simple Log Service?.
For more information about CLB access logs, see Overview of CLB access logs.
If you use CLB Layer 7 listeners and want to troubleshoot errors on backend servers, you can analyze the access log data to locate errors. CLB is interfaced with Simple Log Service, which can record and store access logs of CLB to help you efficiently analyze log data and locate errors. For more information, see Use CLB access logs to locate unhealthy backend servers.