Skip to content

Enable HTTP request Log Shipping

VIP’s Log Shipping feature will ship copies of an application’s HTTP request logs at 5-minute intervals to a customer’s Amazon Web Services (AWS) S3 buckets.

Files from more than one of an organization’s applications and environments can be shipped to a single S3 bucket.

Prerequisites

  • To enable Log Shipping, a user must have at minimum an Org admin role or an App admin role for that application.
  • The AWS S3 bucket name and region are required for configuration.
  • User must have access to modify the AWS Bucket Policy to complete the setup.

AWS S3 bucket requirements

To ensure that HTTP request Log Shipping works as expected once it is enabled, the AWS S3 bucket must meet the following requirements:

  • The name of the AWS S3 bucket must be globally unique. To ensure a unique bucket name, VIP recommends including the organization’s name, the application’s name, and the name of the enabled feature. For example, an organization named “Acme, Inc.” would name their S3 bucket: acme-inc-http-log-shipping. Failure to create a globally unique name creates a risk for files to be shipped to an S3 bucket other than the one intended.
  • The AWS S3 bucket name can only include lowercase letters (a-z), numbers (0-9) and hyphens (-). Review the AWS bucket naming requirements for additional information.
  • File shipping will fail if the name of the AWS S3 bucket includes a period (.).

Path

  • Specifying a destination folder inside of an S3 bucket using a custom path is not supported.

Encryption

  • Files are encrypted in-transit using TLS between VIP and the AWS S3 bucket.
  • To ensure that files are encrypted at-rest, configure encryption for the AWS S3 bucket.
  • The S3 bucket must not use KMS encryption; SSE-S3 is the preferred encryption option.

Enable Log Shipping

  1. Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
  2. Below “Add-ons” select “Log Shipping“.
  3. Select the “Configuration” tab.
  4. Enter the “Bucket Name” and “Bucket Region” values for the S3 bucket that will receive the shipped logs from VIP.
  5. Select “Continue“.
Screenshot of the Log Shipping configuration panel in the VIP Dashboard
  1. Copy the contents of the JSON-formatted “Generated Access Policy” config file. Add the Generated Access Policy content to the S3 bucket by following the instructions for Granting AWS Config access to the Amazon S3 Bucket.
  2. Test Configuration” by selecting “Test and Continue“. A test file named vip-go-test-file.txt will be uploaded to the S3 bucket as part of the verification process. This file will always be present in a site’s configured S3 bucket and path, alongside the dated folders that contain the logs themselves.
  3. If the configuration test was successful, select “Enable Add-on” for log shipping to the S3 bucket to begin.

Disable Log Shipping

  1. Navigate to the VIP Dashboard and select the “Settings” panel option at the left.
  2. Below “Add-ons” select “Log Shipping“.
  3. Select the “Configuration” tab.
  4. Select “Disable Add-on“.

Restricting access by IP range

To restrict access to an AWS S3 bucket via IP range, ensure your bucket access policy accounts for the dynamic IP range accessible at https://go-vip.net/ip-ranges.json. A system to auto-update the access policy will need to be implemented, as the IP ranges are subject to change.

Last updated: February 04, 2023