[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide outlines how to collect and ingest AWS Elastic Load Balancing logs into Google Security Operations, utilizing a specific feed configuration.\u003c/p\u003e\n"],["\u003cp\u003eAWS Elastic Load Balancing access logs must be sent to an S3 storage bucket, which will require enabling access logging and creating an Amazon Simple Queue Service (SQS).\u003c/p\u003e\n"],["\u003cp\u003eThe configuration process in AWS includes creating an S3 bucket, setting up a user with necessary permissions, and enabling access logs for the desired load balancer.\u003c/p\u003e\n"],["\u003cp\u003eWithin Google Security Operations, a new feed must be created, specifying Amazon S3 as the source, AWS Elastic Load Balancer as the log type, and providing relevant AWS access credentials and bucket details.\u003c/p\u003e\n"],["\u003cp\u003eThe ingested logs are parsed and transformed into the Unified Data Model (UDM) format, with detailed mappings provided for various fields, including specific handling for CEF and non-CEF formatted logs, HTTP, TLS, and security-related data.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Elastic Load Balancer logs\n======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect AWS Elastic Load Balancer logs by setting up a Google Security Operations feed. The parser converts the logs into UDM format. It uses grok patterns to extract fields from both CEF and non-CEF formatted messages, mapping them to UDM fields and handling various data transformations, including specific logic for HTTP, TLS, and security-related fields. It also performs conditional processing based on the presence or format of certain fields to ensure accurate UDM representation.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure AWS Elastic Load Balancer\n-----------------------------------\n\n- Enable access logging to send Access Logs to an S3 storage bucket\n- Create an Amazon Simple Queue Service (SQS) and attach it to an S3 storage bucket.\n\nConfigure Amazon S3 bucket\n--------------------------\n\n1. Sign in to the AWS console.\n2. Create an **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n3. Save the bucket **Name** (for example, `elb-logs`) and **Region** for later use.\n4. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n5. Select the created **User**.\n6. Select the **Security credentials** tab.\n7. Click **Create Access Key** in the **Access Keys** section.\n8. Select **Third-party service** as the **Use case**.\n9. Click **Next**.\n10. Optional: add a description tag.\n11. Click **Create access key**.\n12. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n13. Click **Done**.\n14. Select the **Permissions** tab.\n15. Click **Add permissions** in the **Permissions policies** section.\n16. Select **Add permissions**.\n17. Select **Attach policies directly**.\n18. Search for and select the **AmazonS3FullAccess** policy.\n19. Click **Next**.\n20. Click **Add permissions**.\n\nHow to configure AWS Elastic Load Balancer to Enable Access Logs\n----------------------------------------------------------------\n\n1. Sign in to the AWS Management Console.\n2. Search for and select **EC2**.\n3. Select **Load balancers** in the navigation menu.\n4. Select the **load balancer** for which you want to enable logging.\n5. In the **Description** tab, scroll to **Attributes**.\n6. Click **Edit attributes**.\n7. Enable Access logs by selecting **Enable**.\n8. Select the **S3 bucket** created earlier (for example, `elb-logs`).\n9. Optional: set the Log Prefix for easier log identification (for example, `elb/access-logs/`).\n10. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Elastic Load Balancer feed\n------------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Elastic Load Balancer** log type.\n3. Specify the values in the following fields.\n\n 1. Specify the values in the following fields.\n 2. **Source Type**: Amazon SQS V2\n 3. **Queue Name**: The SQS queue name to read from\n 4. **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n 5. **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n 6. **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n 7. **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n 8. **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
