AWS Elastic Load Balancer¶
About¶
Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets.
Product Details¶
Vendor URL: AWS Elastic Load Balancer
Product Type: Load Balancer
Product Tier: Tier III
Integration Method: S3 Bucket
Integration URL: guide
Log Guide: Logs by type of ELB network - application - classic
Parser Details¶
Log Format: space delimited
Expected Normalization Rate: near 100%
Data Label: AWS_ELB
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| aws_account | additional.fields |
| aws_certificate | additional.fields |
| client_ip | principal.ip |
| client_port | principal.port |
| destination_ip | target.ip |
| destination_port | target.port |
| domain_name | intermediary.administrative_domain |
| elb | intermediary.hostname |
| elb_status_code | network.http.response_code |
| method | network.http.method |
| received_bytes | network.received_bytes |
| region | intermediary.location.name |
| sent_bytes | network.sent_bytes |
| target_port | target.port" |
| tls_cipher | network.tls.cipher |
| tls_protocol_version | network.tls.version |
| url | target.url |
| user_agent | network.http.user_agent |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | NETWORK_CONNECTION |
Log Samples¶
Coming Soon
Sample Parsing¶
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "AWS"
metadata.product_name = "Elastic_Load_Balancer"
metadata.product_event_type = "CLASSIC"
additional.aws_certificate = "certificate/redacted"
additional.aws_account = "redacted"
principal.ip = "10.10.30.40"
principal.port = 17347
principal.asset.ip = "10.20.30.40"
target.ip = "10.1.2.3"
target.port = 9200
target.asset.ip = "10.1.2.3"
intermediary.hostname = "samplehost/redacted"
intermediary.administrative_domain = "domain.com"
intermediary.location.name = "us-east-1"
intermediary.cloud.environment = "AMAZON_WEB_SERVICES"
network.sent_bytes = "377"
network.received_bytes = "1177"
network.tls.cipher = "ECDHE-RSA-AES128-GCM-SHA256"
network.tls.version = "tlsv12"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon