Help Center/ Object Storage Service/ API Reference/ Bucket APIs/ Bucket Logging/ Configuring Logging for a Bucket

Updated on 2026-04-16 GMT+08:00

Configuring Logging for a Bucket

Functions

By default, bucket logging is disabled when you create or access a bucket. You can enable bucket logging by turning on the log configuration management switch. OBS logs all the requests for the bucket and stores the logs either in the logged bucket or another bucket that belongs to the same account and region as the logged bucket. You can search and analyze these logs to trace and locate abnormal events. For more information about bucket logging, see Configuring Logging for a Bucket.

Constraints

You can store logs in the logged bucket or another bucket. However, the log storage bucket and logged bucket must belong to the same account and region.
By default, buckets in the Infrequent Access or Archive storage class cannot be used to store log files. Stored log files occupy storage space in the bucket and are billed the same way as user-stored data.

Authorization Information

Authorization required for calling this API

To call this API, you must be the bucket owner or have the permission to configure logging for a bucket. You are advised to use IAM or bucket policies for authorization. For details about OBS authorization methods, see Differences Between OBS Permissions Control Methods.

If you use IAM for authorization, you need to use either role/policy-based authorization or identity policy-based authorization and configure the required permissions:

If you use role/policy-based authorization (IAM v3 APIs in the old IAM version), you need to grant the obs:bucket:PutBucketLogging permission. For details, see Creating a Custom IAM Policy.

If you use identity policy-based authorization (IAM v5 APIs in the new IAM version), you need to grant the obs:bucket:putBucketLogging permission, as shown in the following table. For details, see Creating a Custom IAM Identity Policy.

Action	Access Level	Resource Type (*: Required)	Condition Key	Alias	Dependencies
obs:bucket:putBucketLogging	Write	bucket *	g:EnterpriseProjectId g:ResourceTag/<tag-key>	-	-
-	obs:EpochTime obs:SourceIp obs:TlsVersion obs:CustomDomain

Action

Access Level

Resource Type (*: Required)

Condition Key

Alias

Dependencies

obs:bucket:putBucketLogging

Write

bucket *

obs:EpochTime
obs:SourceIp
obs:TlsVersion
obs:CustomDomain

If you use bucket policies for authorization, you need to grant the obs:bucket:PutBucketLogging permission. For details, see Creating a Custom Bucket Policy.

Request Syntax

The following is an example request. Replace BucketName with your bucket name and RegionID with the ID of the region where your bucket resides. You can obtain the region ID by referring to Supported Regions.

     PUT /?logging HTTP/1.1 
Host: BucketName.obs.RegionID.myhuaweicloud.com 
Date: GMT Date
Authorization: SignatureValue
<?xml version="1.0" encoding="UTF-8"?>
<BucketLoggingStatus>
  <Agency>agency-name</Agency>
  <LoggingEnabled>
    <TargetBucket>mybucketlogs</TargetBucket>
    <TargetPrefix>mybucket-access_log-/</TargetPrefix>
        <TargetGrants>
      <Grant>
        <Grantee>
          <ID>domainID</ID>
        </Grantee>
        <Permission>READ</Permission>
      </Grant>
    </TargetGrants>
  </LoggingEnabled>
</BucketLoggingStatus>
 
 
  

Description of the OBS request structure

An OBS request consists of the request method, request URI, request headers, and request body. The following figure shows an example of a request for creating a bucket. The bucket name is configured in the Host header, and the signature information is configured in the Authorization header. For details about how to calculate the signature, see Using an Authorization Header. For more information, see Constructing a Request.

URI Parameters

This request contains no message parameters.

Request Headers

This request uses common headers. For details, see Table 3.

Request Body

**Table 1** Request body parameters
Element	Description	Mandatory
BucketLoggingStatus	Container for logging status information If BucketLoggingStatus is empty, bucket logging is disabled. Type: container	Yes
Agency	Name of the IAM agency created by the owner of the target bucket on IAM. Type: string	Yes only when you need to enable the logging function
LoggingEnabled	Container for logging information. Present this element when enabling the logging function. Otherwise, absent it. You can add specific logging information in this element. Type: container	Yes only when you need to enable the logging function
Grant	Container for the grantee and the grantee's logging permissions. It describes who has the permission to access the generated log files. Type: container	No
Grantee	Container for the user that is granted the logging permission. Type: container	No
ID	Account ID of the authorized user, which is globally unique. Type: string	No
Permission	Permissions of the grantee to the generated logs. Type: string Value options: FULL_CONTROL, READ, WRITE	No
TargetBucket	When enabling the logging function, the owner of the bucket being logged can specify a target bucket to store the generated log files. Ensure that the bucket owner who configures the logging function has the FULL_CONTROL permission for the bucket that stores log files. Log files generated for multiple buckets can be stored in the same target bucket. If you do so, you need to specify different TargetPrefixes to classify logs for different buckets. Type: string	Yes only when you need to enable the logging function
TargetPrefix	You can specify a prefix using this element so that log files are named with this prefix. Type: string	Yes only when you need to enable the logging function
TargetGrants	Container for granting information. Type: container	No

Naming rules for access logs

     <TargetPrefix>YYYY-mm-DD-HH-MM-SS-<UniqueString>

<TargetPrefix> is the log name prefix specified by the user.
YYYY-mm-DD-HH-MM-SS indicates the date and time when the log is generated.
<UniqueString> indicates a character string generated by OBS.

The following is an example of a log object name:

     bucket-log2015-06-29-12-22-07-N7MXLAF1BDG7MPDV

bucket-log is the target prefix specified by the user.
2015-06-29-12-22-07 indicates the time when the log is generated.
N7MXLAF1BDG7MPDV is a string automatically generated by OBS.

Format of bucket access logs

The following shows an access log delivered to the target bucket:

     787f2f92b20943998a4fe2ab75eb09b8 bucket [13/Aug/2015:01:43:42 +0000] xx.xx.xx.xx 787f2f92b20943998a4fe2ab75eb09b8 281599BACAD9376ECE141B842B94535B  REST.GET.BUCKET.LOCATION - "GET /bucket?location HTTP/1.1" 200 - 211 - 6 6 "-"  "HttpClient" - -

Each access log contains the following information:

**Table 2** Format of bucket access logs
Parameter	Example	Description
BucketOwner	787f2f92b20943998a4fe2ab75eb09b8	ID of the bucket owner
Bucket	bucket	Bucket name
Time	[13/Aug/2015:14:43:42 +0000]	Request timestamp in the [dd/MMM/yyyy:HH:mm:ss Z] format
Remote IP	xx.xx.xx.xx	Request IP address
Requester	787f2f92b20943998a4fe2ab75eb09b8	ID of the requester When an account initiates a request, this parameter value is the account ID. When an IAM user initiates a request, this parameter value is the ID of the account where the IAM user belongs. When an anonymous user initiates a request, this parameter value is Anonymous.
RequestID	281599BACAD9376ECE141B842B94535B	Request ID
Operation	REST.GET.BUCKET.LOCATION	Operation
Key	-	Object name
Request-URI	GET /bucket?location HTTP/1.1	Request URI
HTTPStatus	200	Return code
ErrorCode	-	Error code
BytesSent	211	Size of the HTTP response, expressed in bytes
ObjectSize	-	Object size
TotalTime	6	Processing time on the server Unit: ms
Turn-AroundTime	6	Total request processing time Unit: ms
Referer	-	Referer header of the request
User-Agent	HttpClient	User-Agent header of the request
VersionID	-	Version ID contained in a request
STSLogUrn	-	Federated authentication and agency information
StorageClass	STANDARD_IA	Current object storage class STANDARD: Standard storage STANDARD_IA (also WARM): Infrequent Access storage class COLD: Archive storage class DEEP_ARCHIVE: Deep Archive storage class
TargetStorageClass	GLACIER	Storage class that the object will be transitioned to
DentryName	12456%2Ffile.txt	For a parallel file system, this field represents an internal identifier of a file or directory. Its value consists of a parent directory's inode number and a file or directory name and is displayed in the URL-encoded format. For a bucket, the value of this field is -.
IAMUserId	8f3b8c53d29244a780084f2b8c106c32	ID of an IAM user. When a request is initiated by an anonymous user, Anonymous is logged.
AccessKeyID	UDSIAMSTUBTEST002852	Access key ID of the requester. This example value represents an anonymous request.

Response Syntax

     HTTP/1.1 status_code
Date: date
Content-Length: length

Description of the OBS response structure

An OBS response consists of a response status code, response headers, and the response body. The following figure shows an example of a response for obtaining the bucket's ACL configuration.

Response Headers

This response uses common headers. For details, see Table 1.

Response Body

The response of this API does not contain a response body.

Error Responses

No special error responses are returned. For details about error responses, see Table 2.

Sample Request

     PUT /?logging HTTP/1.1
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Accept: */*
Date: WED, 01 Jul 2015 02:40:06 GMT
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:mCOjER/L4ZZUY9qr6AOnkEiwvVk=
Content-Length: 528

<?xml version="1.0" encoding="UTF-8"?>
<BucketLoggingStatus>
  <Agency>agencyGrantPutLogging</Agency>
  <LoggingEnabled>
    <TargetBucket>log-bucket</TargetBucket>
    <TargetPrefix>mybucket-access_log-/</TargetPrefix>
    
    <TargetGrants>
      <Grant>
        <Grantee>
          <ID>783fc6652cf246c096ea836694f71855</ID>
        </Grantee>
        <Permission>READ</Permission>
      </Grant>
    </TargetGrants>
  </LoggingEnabled>
</BucketLoggingStatus>
 
 
  

Sample Response

     HTTP/1.1 200 OK
Server: OBS
x-obs-request-id: BF26000001643663CE53B6AF31C619FD
x-obs-id-2: 32AAAQAAEAABSAAkpAIAABAAAQAAEAABCT9CjuOx8cETSRbqkm35s1dL/tLhRNdZ
Date: WED, 01 Jul 2015 02:40:06 GMT
Content-Length: 0
 
 
  

Sample Request: Disabling Bucket Log Dump

PUT /?logging HTTP/1.1
Authorization: OBS H4IPJX0TQTHTHEBQQCEC:iqSPeUBl66PwXDApxjRKk6hlcN4=
User-Agent: curl/7.29.0
Host: examplebucket.obs.region.myhuaweicloud.com
Date: WED, 01 Jul 2015 02:37:22 GMT
Content-Type: application/xml
 
<BucketLoggingStatus>
</BucketLoggingStatus>

Sample Response: Disabling Bucket Log Dump

x-obs-id-2: 32AAAQAAEAABSAAgAAEAABAAAQAAEAABCSalxuWjLa91ewuXRoIcCKZFjFgCrYn0
x-obs-request-id: 0000018A2BC32FB6D2C62C9689DD14B3
Server: OBS
Content-Length: 0
Date: WED, 01 Jul 2015 02:37:22 GMT

Using SDKs to Call APIs

You are advised to use OBS SDKs to call APIs. SDKs encapsulate APIs to simplify development. You can call SDK API functions to access OBS without manually calculating signatures.

References

To use obsutil to configure logging for a bucket, see Log Files.
For more information about bucket logging, see Configuring Logging for a Bucket.
For details about the billing items involved in API operations, see Billing Items.

Parent Topic: Bucket Logging

Previous topic: Bucket Logging

Next topic: Obtaining the Bucket Logging Configuration

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot