Question on Cloudfront log files

Follow

Todd Rowan

• December 27, 2022 23:03

Is there a trick to ingesting access files from AWS CloudFront via S3?

I’ve been able to connect Sumo to an S3 bucket and it is grabbing the gzip files and decompressing them. But it never sees the actual log messages. It only records the first two lines, which are just a version value and column identifiers.

I tried a few different Processing Rules, but I never did get any actual messages. I only saw the column header info and the version number in the log queries.

I am using a five-minute scan interval and not the SNS integration.

I shouldn't need any special multiline processing, as log values are on a single line. 

Bucket versioning is disabled.

What else do I need to check?

0

• Official comment

  

  Graham Watts

  • January 02, 2023 23:46

  Hi Todd,
  
  If you have not done this already, can you please submit a support ticket (also under Help > Support in the UI) with the following information?

  1. Sumo account ID (on the Account page)
  2. Name of the source you are troubleshooting on the collection page
  3. Example file from your S3 bucket
  4. Share the search url to the query you are using to in Sumo

  And we will get you a resolution as quickly as possible :)

  Comment actions Permalink
• 

  Todd Rowan

  • January 03, 2023 19:22

  Thanks, Graham, but it looks like it is working now. 

  I think had the time zone configuration wrong, so the messages were floating out there in the future. 

  My mistake. Thanks for the quick response.

  0

  Comment actions Permalink

Please sign in to leave a comment.