Bucket Access Logs
- Print
- DarkLight
Bucket Access Logs
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Backblaze Bucket Access Logs contain detailed records about requests made on a bucket. Information such as the time and date of requests, request types, and specified resources, can be included in these access logs. Bucket Access Logs are intended to help facilitate and assist you in general data security and compliance requirements, as well as troubleshooting and monitoring.
Example Bucket Access Log:
5390fcd33749 5390fcd33749-s3-service-exerciser-s3-bucket
[17/Apr/2025:22:47:56 +0000] 127.0.0.0 1005390fcd337490000000086
ccad706cf1cb02c6 REST.S3_GET_OBJECT test.html
"GET /test.html?versionId=4_z85b369305f6c6d1393470419_f4178bc399f591e62_d20250113_m202432_c100_v0009990_t0001_u01736799872973
HTTP/1.1" 200 - - 71 43 43 "-"
"PostmanRuntime/7.43.3" - - SigV4 - AuthHeader s3.us-east-005.backblazeb2.com - - -Enable Bucket Access Logs
Please contact Backblaze Sales to enable Bucket Access Logs for your account. Please note that while the Access Logs configuration option on your buckets is displayed in the Backblaze web console, Bucket Access Logs still need to be enabled by a Backblaze sales representative.
Backblaze does not collect bucket access logs by default. To start collecting data on a bucket, you will need to enable access logging at the bucket level on the desired source bucket (the bucket for which you would like to monitor activity) and select a destination bucket (also known as a target bucket) to which Backblaze will deliver the logs. While it is possible to have logs delivered to the source bucket itself, every time a log is written to the source bucket it will be logged as an event, resulting in an infinite log loop. So for the sake of efficient log management, we recommend that Bucket Access Logs be stored in a different bucket.
You can use the Backblaze web console or S3-Compatible API to enable access logging on a bucket.
Backblaze Web Console
- In the Backblaze web console in the left navigation menu under B2 Cloud Storage click Buckets and locate the bucket for which you would like to enable Bucket Access Logs.
- Click the Access Logs link to open the Bucket Access Logs configuration panel.
- In the Access Logs panel toggle Access Logging to Enabled.
- Next, configure a Log File Destination bucket. This destination bucket will be the storage location for the source bucket’s access logs. Select the destination bucket from the dropdown menu. There is also an option to add a prefix to store the Bucket Access Logs in a specific folder in the destination bucket.The following are requirements for assigning a destination bucket to receive Bucket Access Logs:
- Destination bucket must be a B2 Cloud Storage bucket.
- Destination bucket and source bucket must be in the same account.
- (OptionaI) It is possible to select between two different log object key formats and date sources, depending on your needs. For more information on log object key formats, see below.
- When you are finished with the configuration, click Update Bucket.
S3-Compatible API
Two S3-Compatible API operations are available for configuring and retrieving information on Bucket Access Logs:
- S3 Put Bucket Logging — enables and configures Bucket Access Logs for a source bucket.
- S3 Get Bucket Logging — returns the logging status of a source bucket.
Please ensure that the application key used in your requests includes
writeBucketLogging and readBucketLogging capabilities.Disable Bucket Access Logs
You can use the Backblaze web console or S3-Compatible API to disable access logging on a bucket.
Backblaze Web Console
- In the Backblaze web console in the left navigation menu under B2 Cloud Storage click Buckets and locate the bucket for which you would like to enable Bucket Access Logs.
- Click the Access Logs link to open the Bucket Access Logs configuration panel.
- In the Access Logs panel toggle Access Logging to Disabled.
- Finally, click Update Bucket to save the changes.
S3-Compatible API
To disable logging, call the S3 Put Bucket Logging operation and use an empty BucketLoggingStatus in the request. For more information, please refer to the API documentation.
Log Object Key Format
In order to support AWS S3-compatibility, Bucket Access Logs follow the AWS S3 naming pattern for object log names.
Example Log File Name:
prefix/0883dc05e9a6/us-west-100/example-log-name/2025/03/27/2025-03-27-15-12-52-[UniqueString]
Bucket Access Logs can have two different log object ket formats:
- Non-date-based partitioning – This is the default log object key format:
[DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString] - Date-based partitioning – If you choose date-based partitioning, you can choose the event time or delivery time for the log file as the date source used in the log format. This format makes it easier to query the logs:
[DestinationPrefix]/[SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
Log Delivery
Bucket Access Logs will be delivered to your destination bucket on a best-effort basis. This means that, for most logs, you can expect delivery within a few hours of the log being first recorded. Please note that the time between a particular request on a bucket and when that request is recorded in the logs and delivered is not guaranteed. Additionally, logs may occasionally be incomplete and/or contain duplicate data. For this reason, we advise that Bucket Access Logs not be regarded as a complete accounting of all requests but instead, be used to indicate the nature of traffic to your bucket.
Bucket Logging Status Changes
Please note that changes made to the logging status of a bucket take time to take effect. For example, if you change your destination bucket from bucket A to bucket B, bucket A may continue to receive some logs for a short period.
Was this article helpful?