When a bucket is accessed, OBS records request logs related to bucket operations. After logging is enabled for a bucket, OBS stores logs in the logged bucket or another bucket that belongs to the same account and region as the logged bucket. You can search and analyze logs to trace and locate abnormal events. This section describes how to configure logging, verify the logging configuration, and disable logging for a bucket.
Configuring Logging for a Bucket
You can use OBS Console, APIs, or SDKs to configure logging for a bucket.
Using OBS Console
- In the navigation pane of OBS Console, choose Object Storage.
- In the bucket list, click the bucket you want to operate. The Objects page is displayed.
- In the navigation pane, choose Overview.
- In the Basic Configurations area, click Logging. The Logging dialog box is displayed.
- Select Enable. For details, see Figure 1.
Figure 1 Logging

- Configure parameters.
Table 1 Parameters for configuring logging for the bucket
Parameter |
Description |
Save Logs To |
Specifies the target bucket for storing log files of the source bucket.
You can select the source bucket or another bucket as the log storage bucket. However, the log storage bucket must belong to the same account and region as the source bucket.
Log delivery users of the selected bucket will be automatically granted the permissions to read the bucket ACL and write logs to the bucket. |
Log File Name Prefix |
Specifies the prefix of the log file name.
After logging is enabled, generated log files are named in the following format:
<Log File Name Prefix>YYYY-mm-DD-HH-MM-SS-<UniqueString>
- <Log File Name Prefix> is the prefix of the log file name, which is the parameter to be set here.
- If <Log File Name Prefix> ends with a slash (/), the log files generated for the bucket are stored in the folder named <Log File Name Prefix> in the target bucket. The log file name is YYYY-mm-DD-HH-MM-SS-<UniqueString>. For example, 2025-06-03-07-18-11-WKK0T9O74VAWMHB7.
- If <Log File Name Prefix> does not end with a slash (/), the log files generated for the bucket are stored in the root directory of the target bucket. The log file name is <Log File Name Prefix>YYYY-mm-DD-HH-MM-SS-<UniqueString>. For example, example-bucket-a-log2025-06-03-07-18-11-WKK0T9O74VAWMHB7.
- YYYY-mm-DD-HH-MM-SS indicates when the log is generated.
- <UniqueString> indicates a character string generated by OBS.
|
IAM Agency |
To upload log files to the log storage bucket, OBS must be granted required permissions.
- By default, you only need to grant the agency the upload permission (obs:object:PutObject) for the log storage bucket.
- If the log storage bucket has Server-Side Encryption enabled, the agency also requires the KMS Administrator permission for the region where the bucket is located.
You can choose an existing IAM agency from the drop-down list or click Create Agency to create one.
To create an agency, see Creating an Agency for Uploading Logs. |
- Click OK.
After logging is configured, you can view operation logs in the bucket that stores the logs in approximately fifteen minutes.
Verifying the Logging Configuration of a Bucket
After configuring logging for a bucket, you can use OBS Console, APIs, SDKs, or obsutil to verify the logging configuration of the bucket. You can check whether log files are generated and whether they can be accessed.
Using OBS Console
- In the navigation pane of OBS Console, choose Object Storage.
- In the bucket list, click the log storage bucket. The Objects page is displayed.
- Check whether log files exist.
Check whether log files exist or whether the folder for storing log files exists in the object list based on the configured log file name prefix and log file naming rules.
Figure 2 Viewing the log folder or log files
- Check whether the log files can be accessed.
- In the object list or in the log folder, click the name of a log file. The Basic Information page is displayed.
- Click
next to the link to copy the link of the log file.
- Paste the link to a browser and access the link.
Using SDKs
- Check whether log files exist.
Use the following SDKs to list all objects in the bucket, and then check whether log files exist in the listed objects based on the log file name prefix and log file naming rules.
- Download log files.
Use the following SDKs to download log files.
Using the CLI Tool - obsutil
- Check whether log files exist.
List all objects in the bucket by referring to Listing Objects, and then check whether log files exist in the listed objects based on the log file name prefix and log file naming rules.
- Download log files.
Download log files by referring to Downloading an Object.
Disabling Logging for a Bucket
Uploading bucket logs to and storing them in the log storage bucket will incur PUT request and storage costs. If you no longer need to record logs, disable logging for the bucket. After logging is disabled, logs are not recorded, but existing logs in the log storage bucket will be retained.
You can use OBS Console to disable logging for a bucket.
Using OBS Console
- In the navigation pane of OBS Console, choose Object Storage.
- In the bucket list, click the bucket you want to operate. The Objects page is displayed.
- In the navigation pane, choose Overview.
- In the Basic Configurations area, click Logging. The Logging dialog box is displayed.
- Select Disable and then click OK.
References
Creating an Agency for Uploading Logs
- In the Logging dialog box, click Create Agency to jump to the Agencies page on the Identity and Access Management console.
- Click Create Agency. On the displayed page, set the parameters related to the agency for uploading logs and retain the default values for other parameters.
Table 2 Parameters
Parameter |
Description |
Agency Name |
Name of the agency to be created
The agency name cannot be left blank. |
Agency Type |
You can grant permissions to another account or cloud service for managing resources in your account.
Select Cloud service for Agency Type. |
Cloud Service |
You can grant permissions to a cloud service for managing resources in your account. This parameter is mandatory when Agency Type is set to Cloud service.
Select Object Storage Service (OBS) for Cloud Service. |
- Click OK. In the Agency Created dialog box that is displayed, click Cancel. If the newly created agency is displayed in the agency list, the agency is created successfully.
- Create a custom policy to grant OBS permissions to the agency. If a policy that meets the requirements already exists, skip this step.
- In the navigation pane of the IAM console, choose Permissions > Policies/Roles.
- On the Policies/Roles page, click Create Custom Policy in the upper right corner.
- On the Create Custom Policy page, set the parameters as follows and retain the default values for other parameters.
Figure 3 Configuring a custom policy
- Policy Name: Enter a name that is easy to remember.
- Select service: Select Object Storage Service (OBS).
- Actions: Select obs:object:PutObject.
- Resources: Select Specific.
object: Select Specify resource path. The resource path format is OBS:*:*:object:Bucket name/Object name.
Replace Bucket name with the name of the log storage bucket. For example, OBS:*:*:object:piccomp/* indicates all objects in the log storage bucket piccomp.
- Click OK. If the created custom policy is displayed in the policy list, the policy is created successfully.
- Grant OBS permissions to the created agency.
- In the navigation pane of the IAM console, choose Agencies.
- Click Authorize in the Operation column of the agency created in 2.
- On the Select Policy/Role page, select the custom policy created in 4 and click Next.
- On the Select Scope page, select All resources and click OK.
- In the Information dialog box that is displayed, click OK.
- On the Finish page, click Finish.
- (Optional) If the log storage bucket has server-side encryption enabled, the agency also requires the KMS Administrator permission for the region where the bucket is located.
- In the navigation pane of the IAM console, choose Agencies.
- Click Authorize in the Operation column of the agency created in 2.
- On the Select Policy/Role page, search for and select KMS Administrator. Then, click Next.
- Select Region-specific projects for Scope, and select the project in the region where the log bucket resides.
- Click OK.