AWS S3
Collect logs from AWS S3
status: beta
role: aggregator
delivery: at-least-once
acknowledgements: yes
egress: stream
state: stateless
output: log
Requirements
The AWS S3 source requires a SQS queue configured to receive S3
bucket notifications for the desired S3 buckets.
Configuration
Example configurations
{
"sources": {
"my_source_id": {
"type": "aws_s3",
"acknowledgements": null,
"region": "us-east-1",
"sqs": null
}
}
}[sources.my_source_id]
type = "aws_s3"
region = "us-east-1"
---
sources:
my_source_id:
type: aws_s3
acknowledgements: null
region: us-east-1
sqs: null
{
"sources": {
"my_source_id": {
"type": "aws_s3",
"auth": null,
"endpoint": "http://127.0.0.0:5000/path/to/service",
"acknowledgements": null,
"strategy": "sqs",
"compression": "text",
"multiline": null,
"proxy": null,
"tls": null,
"region": "us-east-1",
"sqs": null
}
}
}[sources.my_source_id]
type = "aws_s3"
endpoint = "http://127.0.0.0:5000/path/to/service"
strategy = "sqs"
compression = "text"
region = "us-east-1"
---
sources:
my_source_id:
type: aws_s3
auth: null
endpoint: http://127.0.0.0:5000/path/to/service
acknowledgements: null
strategy: sqs
compression: text
multiline: null
proxy: null
tls: null
region: us-east-1
sqs: null
acknowledgements
common optional objectControls how acknowledgements are handled by this source. These settings override the global
acknowledgement settings. This setting is deprecated in favor of enabling acknowledgements in the destination sink.acknowledgements.enabled
optional boolControls if the source will wait for destination sinks to deliver the events before acknowledging receipt.
default:
falseauth
optional objectOptions for the authentication strategy.
auth.access_key_id
optional string literalThe AWS access key id. Used for AWS authentication when communicating with AWS services.
auth.assume_role
optional string literalThe ARN of an IAM role to assume at startup.
auth.load_timeout_secs
optional uintThe timeout for loading credentials. Relevant when the default credentials chain is used or
assume_role.default:
5 (seconds)auth.profile
optional string literalThe AWS profile name. Used to select AWS credentials from a provided credentials file.
default:
defaultauth.secret_access_key
optional string literalThe AWS secret access key. Used for AWS authentication when communicating with AWS services.
compression
optional string literal enumThe compression format of the S3 objects..
Enum options
string
literal
| Option | Description |
|---|---|
auto | Vector will try to determine the compression format of the object from its: Content-Encoding metadata, Content-Type metadata, and key suffix (e.g. .gz). It will fallback to ‘none’ if it cannot determine the compression. |
gzip | GZIP format. |
none | Uncompressed. |
zstd | ZSTD format. |
default:
textendpoint
optional string literalCustom endpoint for use with AWS-compatible services.
multiline
optional objectMultiline parsing configuration. If not specified, multiline parsing is disabled.
multiline.condition_pattern
optional string regexCondition regex pattern to look for. Exact behavior is configured via
mode.multiline.mode
optional string literal enumMode of operation, specifies how the
condition_pattern is interpreted.Enum options
| Option | Description |
|---|---|
continue_past | All consecutive lines matching this pattern, plus one additional line, are included in the group. This is useful in cases where a log message ends with a continuation marker, such as a backslash, indicating that the following line is part of the same message. |
continue_through | All consecutive lines matching this pattern are included in the group. The first line (the line that matched the start pattern) does not need to match the ContinueThrough pattern. This is useful in cases such as a Java stack trace, where some indicator in the line (such as leading whitespace) indicates that it is an extension of the preceding line. |
halt_before | All consecutive lines not matching this pattern are included in the group. This is useful where a log line contains a marker indicating that it begins a new message. |
halt_with | All consecutive lines, up to and including the first line matching this pattern, are included in the group. This is useful where a log line ends with a termination marker, such as a semicolon. |
multiline.start_pattern
optional string regexStart regex pattern to look for as a beginning of the message.
multiline.timeout_ms
optional uintThe maximum time to wait for the continuation. Once this timeout is reached, the buffered message is guaranteed to be flushed, even if incomplete.
proxy
optional objectConfigures an HTTP(S) proxy for Vector to use. By default, the globally configured proxy is used.
proxy.http
optional string literalThe URL to proxy HTTP requests through.
proxy.https
optional string literalThe URL to proxy HTTPS requests through.
proxy.no_proxy
optional [string]A list of hosts to avoid proxying. Allowed patterns here include:
| Pattern | Example match |
|---|---|
| Domain names | example.com matches requests to example.com |
| Wildcard domains | .example.com matches requests to example.com and its subdomains |
| IP addresses | 127.0.0.1 matches requests to 127.0.0.1 |
| CIDR blocks | 192.168.0.0./16 matches requests to any IP addresses in this range |
| Splat | * matches all hosts |
sqs
common optional objectSQS strategy options. Required if strategy=
sqs.sqs.delete_message
optional boolWhether to delete the message once Vector processes it. It can be useful to set this to
false to debug or during initial Vector setup.default:
truesqs.queue_url
optional string literalThe URL of the SQS queue to receive bucket notifications from.
sqs.visibility_timeout_secs
optional uintThe visibility timeout to use for messages in secords. This controls how long a message is left unavailable when a Vector receives it. If a
vector does not delete the message before the timeout expires, it will be made reavailable for another consumer; this can happen if, for example, the vector process crashes.default:
300 (seconds)strategy
optional string literal enumThe strategy to use to consume objects from AWS S3.
Enum options
string
literal
| Option | Description |
|---|---|
sqs | Consume S3 objects by polling for bucket notifications sent to an AWS SQS queue. |
default:
sqstls
optional objectConfigures the TLS options for outgoing connections.
tls.ca_file
optional string literalAbsolute path to an additional CA certificate file, in DER or PEM format (X.509), or an inline CA certificate in PEM format.
tls.crt_file
optional string literalAbsolute path to a certificate file used to identify this connection, in DER or PEM format (X.509) or PKCS#12, or an inline certificate in PEM format. If this is set and is not a PKCS#12 archive,
key_file must also be set.tls.key_file
optional string literalAbsolute path to a private key file used to identify this connection, in DER or PEM format (PKCS#8), or an inline private key in PEM format. If this is set,
crt_file must also be set.tls.key_pass
optional string literalPass phrase used to unlock the encrypted key file. This has no effect unless
key_file is set.tls.verify_certificate
optional boolIf
true (the default), Vector will validate the TLS certificate of the remote host.default:
truetls.verify_hostname
optional boolIf
true (the default), Vector will validate the configured remote host name against the remote host’s TLS certificate. Do NOT set this to false unless you understand the risks of not verifying the remote hostname.default:
trueEnvironment variables
AWS_ACCESS_KEY_ID
common optional string literalThe AWS access key id. Used for AWS authentication when communicating with AWS services.
AWS_CONFIG_FILE
common optional string literalSpecifies the location of the file that the AWS CLI uses to store configuration profiles.
Default: ~/.aws/configAWS_CREDENTIAL_EXPIRATION
common optional string literalExpiration time in RFC 3339 format. If unset, credentials won’t expire.
AWS_DEFAULT_REGION
common optional string literalThe default AWS region.
AWS_PROFILE
common optional string literalSpecifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a credentials or config file.
Default: defaultAWS_ROLE_SESSION_NAME
common optional string literalSpecifies a name to associate with the role session. This value appears in CloudTrail logs for commands performed by the user of this profile.
AWS_SECRET_ACCESS_KEY
common optional string literalThe AWS secret access key. Used for AWS authentication when communicating with AWS services.
AWS_SESSION_TOKEN
common optional string literalThe AWS session token. Used for AWS authentication when communicating with AWS services.
AWS_SHARED_CREDENTIALS_FILE
common optional string literalSpecifies the location of the file that the AWS CLI uses to store access keys.
Default: ~/.aws/credentialsHTTPS_PROXY
common optional string literalThe global URL to proxy HTTPS requests through.
If another HTTPS proxy is set in the configuration file or at a component level, this one will be overridden.
The lowercase variant has priority over the uppercase one.
HTTP_PROXY
common optional string literalThe global URL to proxy HTTP requests through.
If another HTTP proxy is set in the configuration file or at a component level, this one will be overridden.
The lowercase variant has priority over the uppercase one.
NO_PROXY
common optional string literalList of hosts to avoid proxying globally.
Allowed patterns here include:
| Pattern | Example match |
|---|---|
| Domain names | example.com matches requests to example.com |
| Wildcard domains | .example.come matches requests to example.com and its subdomains |
| IP addresses | 127.0.0.1 matches requests to 127.0.0.1 |
| CIDR blocks | 192.168.0.0./16 matches requests to any IP addresses in this range |
| Splat | * matches all hosts |
If another no_proxy value is set in the configuration file or at a component level, this
one is overridden.
The lowercase variant has priority over the uppercase one.
http_proxy
common optional string literalThe global URL to proxy HTTP requests through.
If another HTTP proxy is set in the configuration file or at a component level, this one will be overridden.
The lowercase variant has priority over the uppercase one.
https_proxy
common optional string literalThe global URL to proxy HTTPS requests through.
If another HTTPS proxy is set in the configuration file or at a component level, this one will be overridden.
The lowercase variant has priority over the uppercase one.
no_proxy
common optional string literalList of hosts to avoid proxying globally.
Allowed patterns here include:
| Pattern | Example match |
|---|---|
| Domain names | example.com matches requests to example.com |
| Wildcard domains | .example.come matches requests to example.com and its subdomains |
| IP addresses | 127.0.0.1 matches requests to 127.0.0.1 |
| CIDR blocks | 192.168.0.0./16 matches requests to any IP addresses in this range |
| Splat | * matches all hosts |
If another no_proxy value is set in the configuration file or at a component level, this
one is overridden.
The lowercase variant has priority over the uppercase one.
Outputs
<component_id>
Default output stream of the component. Use this component’s ID as an input to downstream transforms and sinks.
Output Data
Logs
Object
A line from an S3 object.
bucket
required
string
literal
The bucket of the object the line came from.
Examples
my-bucketmessage
required
string
literal
A line from the S3 object.
Examples
53.126.150.246 - - [01/Oct/2020:11:25:58 -0400] "GET /disintermediate HTTP/2.0" 401 20308object
required
string
literal
The object the line came from.
Examples
AWSLogs/111111111111/vpcflowlogs/us-east-1/2020/10/26/111111111111_vpcflowlogs_us-east-1_fl-0c5605d9f1baf680d_20201026T1950Z_b1ea4a7a.log.gzregion
required
string
literal
The AWS region bucket is in.
Examples
us-east-1timestamp
required
timestamp
The Last-Modified time of the object. Defaults the current timestamp if this information is missing.
Examples
2020-10-10T17:07:36.452332ZTelemetry
Metrics
linkcomponent_discarded_events_total
counterThe number of events dropped by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
component_errors_total
counterThe total number of errors encountered by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
error_type
required
The type of the error
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
stage
required
The stage within the component at which the error occurred.
component_received_bytes_total
counterThe number of raw bytes accepted by this component from source origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_received_event_bytes_total
counterThe number of event bytes accepted by this component either from
tagged origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_received_events_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
component_sent_event_bytes_total
counterThe total number of event bytes emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
component_sent_events_total
counterThe total number of events emitted by this component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
events_in_total
counterThe number of events accepted by this component either from tagged
origins like file and uri, or cumulatively from other origins.
This metric is deprecated and will be removed in a future version.
Use
component_received_events_total instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the data originated.
file
optional
The file from which the data originated.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the data originated.
peer_path
optional
The pathname from which the data originated.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the data originated.
uri
optional
The sanitized URI from which the data originated.
events_out_total
counterThe total number of events emitted by this component.
This metric is deprecated and will be removed in a future version.
Use
component_sent_events_total instead.component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
output
optional
The specific output of the component.
pid
optional
The process ID of the Vector instance.
processed_bytes_total
counterThe number of bytes processed by the component.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
container_name
optional
The name of the container from which the bytes originate.
file
optional
The file from which the bytes originate.
host
optional
The hostname of the system Vector is running on.
mode
optional
The connection mode used by the component.
peer_addr
optional
The IP from which the bytes originate.
peer_path
optional
The pathname from which the bytes originate.
pid
optional
The process ID of the Vector instance.
pod_name
optional
The name of the pod from which the bytes originate.
uri
optional
The sanitized URI from which the bytes originate.
sqs_message_delete_failed_total
counterThe total number of failures to delete SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_delete_succeeded_total
counterThe total number of successful deletions of SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_processing_failed_total
counterThe total number of failures to process SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_processing_succeeded_total
counterThe total number of SQS messages successfully processed.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_receive_failed_total
counterThe total number of failures to receive SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_receive_succeeded_total
counterThe total number of times successfully receiving SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_message_received_messages_total
counterThe total number of received SQS messages.
component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
pid
optional
The process ID of the Vector instance.
sqs_s3_event_record_ignored_total
counterThe total number of times an S3 record in an SQS message was ignored (for an event that was not
ObjectCreated).component_id
required
The Vector component ID.
component_kind
required
The Vector component kind.
component_name
required
Deprecated, use
component_id instead. The value is the same as component_id.component_type
required
The Vector component type.
host
optional
The hostname of the system Vector is running on.
ignore_type
required
The reason for ignoring the S3 record
pid
optional
The process ID of the Vector instance.
Permissions
Platform:
Amazon Web Services
Relevant policies
| Policy | Required for | Required when |
|---|---|---|
s3:GetObject |
|
Platform:
Amazon Web Services
Relevant policies
| Policy | Required for | Required when |
|---|---|---|
sqs:ReceiveMessage |
| strategy is set to sqs |
sqs:DeleteMessage |
| strategy is set to sqs and delete_message is set to true |
How it works
AWS authentication
Vector checks for AWS credentials in the following order:
- The
access_key_idandsecret_access_keyoptions. - The
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEYenvironment variables. - The AWS credentials file (usually located at
~/.aws/credentials). - The IAM instance profile (only works if running on an EC2 instance with an instance profile/role). Requires IMDSv2 to be enabled. For EKS, you may need to increase the metadata token response hop limit to 2.
Note that use of
credentials_process
in AWS credentials files is not supported as the underlying AWS SDK currently lacks
support.
If no credentials are found, Vector’s health check fails and an error is logged. If your AWS credentials expire, Vector will automatically search for up-to-date credentials in the places (and order) described above.
Obtaining an access key
In general, we recommend using instance profiles/roles whenever possible. In
cases where this is not possible you can generate an AWS access key for any user
within your AWS account. AWS provides a detailed guide on
how to do this. Such created AWS access keys can be used via
access_key_id
and secret_access_key options.Assuming roles
Vector can assume an AWS IAM role via the
assume_role option. This is an
optional setting that is helpful for a variety of use cases, such as cross
account access.Handling events from the aws_s3 source
This source behaves very similarly to the file source in that
it will output one event per line (unless the multiline
configuration option is used).
You will commonly want to use transforms to
parse the data. For example, to parse VPC flow logs sent to S3 you can
chain the tokenizer transform:
[transforms.flow_logs]
type = "tokenizer" # required
inputs = ["s3"]
field_names = ["version", "account_id", "interface_id", "srcaddr", "dstaddr", "srcport", "dstport", "protocol", "packets", "bytes", "start", "end", "action", "log_status"]
types.srcport = "int"
types.dstport = "int"
types.packets = "int"
types.bytes = "int"
types.start = "timestamp|%s"
types.end = "timestamp|%s"
To parse AWS load balancer logs, the regex_parser transform can be used:
[transforms.elasticloadbalancing_fields_parsed]
type = "regex_parser"
inputs = ["s3"]
regex = '''
(?x)^
(?P<type>[\w]+)[ ]
(?P<timestamp>[\w:.-]+)[ ]
(?P<elb>[^\s]+)[ ]
(?P<client_host>[\d.:-]+)[ ]
(?P<target_host>[\d.:-]+)[ ]
(?P<request_processing_time>[\d.-]+)[ ]
(?P<target_processing_time>[\d.-]+)[ ]
(?P<response_processing_time>[\d.-]+)[ ]
(?P<elb_status_code>[\d-]+)[ ]
(?P<target_status_code>[\d-]+)[ ]
(?P<received_bytes>[\d-]+)[ ]
(?P<sent_bytes>[\d-]+)[ ]
"(?P<request_method>[\w-]+)[ ]
(?P<request_url>[^\s]+)[ ]
(?P<request_protocol>[^"\s]+)"[ ]
"(?P<user_agent>[^"]+)"[ ]
(?P<ssl_cipher>[^\s]+)[ ]
(?P<ssl_protocol>[^\s]+)[ ]
(?P<target_group_arn>[\w.:/-]+)[ ]
"(?P<trace_id>[^\s"]+)"[ ]
"(?P<domain_name>[^\s"]+)"[ ]
"(?P<chosen_cert_arn>[\w:./-]+)"[ ]
(?P<matched_rule_priority>[\d-]+)[ ]
(?P<request_creation_time>[\w.:-]+)[ ]
"(?P<actions_executed>[\w,-]+)"[ ]
"(?P<redirect_url>[^"]+)"[ ]
"(?P<error_reason>[^"]+)"
'''
field = "message"
drop_failed = false
types.received_bytes = "int"
types.request_processing_time = "float"
types.sent_bytes = "int"
types.target_processing_time = "float"
types.response_processing_time = "float"
[transforms.elasticloadbalancing_url_parsed]
type = "regex_parser"
inputs = ["elasticloadbalancing_fields_parsed"]
regex = '^(?P<url_scheme>[\w]+)://(?P<url_hostname>[^\s:/?#]+)(?::(?P<request_port>[\d-]+))?-?(?:/(?P<url_path>[^\s?#]*))?(?P<request_url_query>\?[^\s#]+)?'
field = "request_url"
drop_failed = false
Transport Layer Security (TLS)
Vector uses OpenSSL for TLS protocols. You can
adjust TLS behavior via the
tls.* options.