Skip to content

AWS Elastic Load Balancer

AWS ELB

About

Elastic Load Balancing automatically distributes incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones. It monitors the health of its registered targets and routes traffic only to the healthy targets.

Product Details

Vendor URL: AWS Elastic Load Balancer

Product Type: Load Balancer

Product Tier: Tier III

Integration Method: S3 Bucket

Integration URL: guide

Log Guide: Logs by type of ELB network - application - classic

Parser Details

Log Format: space delimited

Expected Normalization Rate: near 100%

Data Label: AWS_ELB

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
aws_account additional.fields
aws_certificate additional.fields
client_ip principal.ip
client_port principal.port
destination_ip target.ip
destination_port target.port
domain_name intermediary.administrative_domain
elb intermediary.hostname
elb_status_code network.http.response_code
method network.http.method
received_bytes network.received_bytes
region intermediary.location.name
sent_bytes network.sent_bytes
target_port target.port"
tls_cipher network.tls.cipher
tls_protocol_version network.tls.version
url target.url
user_agent network.http.user_agent

Product Event Types

Event UDM Event Classification
All NETWORK_CONNECTION

Log Samples

Coming Soon

Sample Parsing

metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "AWS"
metadata.product_name = "Elastic_Load_Balancer"
metadata.product_event_type = "CLASSIC"
additional.aws_certificate = "certificate/redacted"
additional.aws_account = "redacted"
principal.ip = "10.10.30.40"
principal.port = 17347
principal.asset.ip = "10.20.30.40"
target.ip = "10.1.2.3"
target.port = 9200
target.asset.ip = "10.1.2.3"
intermediary.hostname = "samplehost/redacted"
intermediary.administrative_domain = "domain.com"
intermediary.location.name = "us-east-1"
intermediary.cloud.environment = "AMAZON_WEB_SERVICES"
network.sent_bytes = "377"
network.received_bytes = "1177"
network.tls.cipher = "ECDHE-RSA-AES128-GCM-SHA256"
network.tls.version = "tlsv12"

Parser Alerting

This product currently does not have any Parser-based Alerting