Closed mrobinson1022 closed 7 months ago
it appears a rouge agent (a team member) disconnected this ALB from the logs bucket, which is why we suddenly had zero logs. So it seems a majority of the ELB logs are being ingested, however some are still facing this issue. I'm curious of the cause, but the main issue of NO logs at all has been solved 🤣
What SIEM version are you using?
ssl_cipher of logs seems changed
your sample log: ssl_cipher uses underscores
TLS_AES_128_GCM_SHA256 TLSv1.3
On the other hand, the sample log in the official documentation uses dashes.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
workaround: Edit part of log_pattern in the [alb] section of aws.ini
Modification place
From:
(?P<ssl_cipher>[()A-Z0-9-]+)
To:
(?P<ssl_cipher>[()A-Z0-9_-]+)
Or please update SIEM version to v2.10.2a
Thanks so much for spotting that @nakajiak! It looks like in typical aws fashion, three of the TLS ciphers use underscores rather than dashes.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
I didn't know the three TLS ciphers. Thanks so much.
ALB access logs have been ingesting into opensearch using the es-loader function for a while now. This morning they appear to have completely stopped due to a mismatch on the regex pattern.
I'm seeing this in the logs:
Any guidance you can give would be greatly appreciated!