[AWS ELB] ALBのログをS3に出力

apache2のaccess.log, error.logだけでなく、ALBのログも取得したい

1. S2にbucketを作成します。
– access-log-hoge
– permissionは Block all public access でOK

2. bucket policyを編集する
account IDで、tokyoは582318560864となる。
ap-northeast-1 Asia Pacific (Tokyo) 582318560864

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::582318560864:root"
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::access-log-hoge/AWSLogs/${aws-id}/*"
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::access-log-hoge/AWSLogs/${aws-id}/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
      "Effect": "Allow",
      "Principal": {
        "Service": "delivery.logs.amazonaws.com"
      "Action": "s3:GetBucketAcl",
      "Resource": "arn:aws:s3:::access-log-hoge"

4. ALB側でaccess logをenabledにする

5. bucket


Amazon S3 / access-log-hoge / AWSLogs/ ${account-id}/ elasticloadbalancing/ ap-northeast-1/ 2021/ 01/ 17/





ALBのHealth checkが原因とのこと
defaultでTimeout 5 seconds, Interval 30 secondsとなっているので、ELB Targets Groupsから、Health Checkの設定をそれぞれ、2秒、5秒に変更する

Developer Forum

Yes CodeDeploy depends on the ELB Health Check settings that you have configured your ELB with. After an instance is bound to the ELB, CodeDeploy wait for the status if the instance to be healthy ("inService") behind the load balancer. This health check is done by ELB and depends on the health check configuration you have set.



### public subnetを二つ用意
– availability zoneが異なるpublic subnetの中に、それぞれEC2を配置する

dev-subnet-public1( ap-northeast-1a ・・・web-prd-01 
dev-subnet-private1( ap-northeast-1a ・・・RDS MultiAZ
dev-subnet-private2( ap-northeast-1c・・・RDS MultiAZ 

1.dev-subnet-public2( ap-northeast-1c ・・・web-prd-02
2.作成済みのpublic route tableを関連付ける(internet gatewayは紐付け済)

### AMIからインスタンス作成
– web-prd-01のAMIからインスタンスを複製する
– VPCにdev-vpc、subnetにdev-subnet-public2を割り当てる
– Auto-assign Public IP Enable, IAM role s3readonly


### ロードバランサの構築
– EC2左メニューLOAD BALANCINGのTarget Groupsの作成
– target group name: ${app name}-target-group
– target type: instance
– Protocol: HTTP
– Port: 80
– VPC:dev-vpc
– Health check settings: http, /

作成したtarget-groupにAction-> Register and deregister instance/ip targets からweb-prd-01, web-prd-02を紐付ける

### ALBの作成
Name: ${appName}-prd-alb
Scheme: internet-facing
IP address type: ipv4
Lisnter: http:80
Availability Zones:
VPC: dev-vpc
Subnet: dev-subnet-public1, dev-subnet-public2

Configure Security Groups
-> ALBのSecurity Groupを作成する
-> alb-${appName}-security-group
-> Custom TCP

Configure Routing
– Target group: Existing target group
– Name: ${appName}-target-group
– Protocol Port: HTTP 80

### security groupを新規に作成
– SSH:
– HTTP: ${albのsecuritygroup ID}
インスタンス(web-prd-01, web-prd-02)のセキュリティグループを新規に作成したセキュリティグループに変更

->ALBのDNS nameを叩いて動作確認
->instanceのpublic ipを叩いてもresponseが返ってこない事を確認

UnHealthyHostCount, Latency

Number of healthy EC2 instances registered with the load balancer in the specified Availability Zone. Hosts that do not fail the health check beyond the unhealthy threshold are considered healthy. When evaluating this metric, the dimensions should be defined by LoadBalancerName and AvailabilityZone.
This metric represents the number of healthy instances in the specified Availability Zone. Instances may become unhealthy due to connection problems such as non-200 responses (for HTTP and HTTPS health checks) and timeouts when doing health checks. In order to get the total number of all healthy hosts, this metric needs to get each registered AvailabilityZone and add all metrics together.

The elapsed time from request leaving the load balancer to receiving the corresponding response.

ELB access log


2014-03-07T07:25:38.285777Z elber 130.0.237.XX:37522 0.000066 0.00105 0.000037 404 404 0 570 "GET http://54.249.27.XX:80/actus4/ HTTP/1.1"
2014-03-07T07:26:43.731149Z elber 77.50.22.XXX:53477 0.000053 0.000866 0.000053 200 200 0 10 "GET http://54.249.27.XX:80/ HTTP/1.0"
2014-03-07T07:26:44.410747Z elber 77.50.22.XXX:53656 0.000052 0.000853 0.000039 404 404 0 168 "GET http://54.249.27.XX:80/foltia/ HTTP/1.0"
2014-03-07T07:26:45.084730Z elber 77.50.22.XXX:53839 0.000061 0.000874 0.000035 404 404 0 168 "GET http://54.249.27.XX:80/epgrec/do-record.sh HTTP/1.0"
2014-03-07T07:28:12.386207Z elber 189.206.75.XX:64289 0.000062 0.000924 0.000035 404 404 0 168 "GET http://54.249.27.XX:80/manager/html HTTP/1.1"


The time accessed by the Client. UTC time, recorded in ISO 8601 format.
2014-02-15T23: 39: 43. 945958 Z

Name of ELB
ELB Name: test-loadbalancer

Port Client IP address and port number

port IP address and port number of the instance to which communication was distributed by ELB. This will tell you which server it was assigned to

The time between the ELB receiving a request from the client and sending the request to the instance

The time it takes for the ELB to send a request to an instance and the instance returns a response.

The time from when the ELB receives a response from an instance to when it returns a response to the client.

response status code.

Response status code of the instance to which the ELB sent the request.

Size of received request (bytes)

Size of sent request (bytes)

request from a client
“GET http://www.example.com:80/HTTP/1.1”

ELB http 460

What is HTTP 460 on ELB
The load balancer received a request from a client, but the client closed the connection with the load balancer before the idle timeout expired.

Check if the client timeout period is longer than the load balancer idle timeout period. Before the client timeout period expires, make sure that target returns a response to the client, or if the client supports it, increase the client timeout period to match the load balancer idle timeout.

AWS health check

Health check function checks whether the load balancer and the target server are connected. It check every certain time whether we can see the website via load balancer.

For AWS, it is judged whether it can access the health check URL set on the console screen. It is OK if the HTTP status 200 is returned from the URL. If inadvertent 404 comes back, even if you access the URL set by the load balancer, the the site will not displayed.

It seems that it becomes OutOfService somewhat when restarting the EC2 instance in the state attached to the ELB. Also, as it is said that 200 should be returned by health check, if you do not do BASIC certification naturally, it will be OutOfService. 401 error comes back. If you are using ELB and need to make Basic authentication, only URLs for health checks must be in a state where authentication is ineffective.

AWS ec2で複数ドメインを管理する



NameVirtualHost *:80

ServerName hoge # 今まで使っていたドメイン
DocumentRoot “/var/www/html”

ServerName hogehoge # 新しいドメイン
DocumentRoot “/var/www/dev/html”

$ sudo service httpd restart
Starting httpd: AH00548: NameVirtualHost has no effect and will be removed in the next release

なんじゃこりゃー どないなってんねん。
do not stop, keep going

curl http://www.yahoo.co.jp
/etc/resolv.conf ではなさそう。