Contents x
Bucket Access Logs
    • Print
    • Dark
      Light
    Contents

    Bucket Access Logs

      • Print
      • Dark
        Light
      Article summary

      Backblaze Bucket Access Logs contain detailed records about requests made on a bucket. Information such as the time and date of requests, request types, and specified resources can be included in these access logs. Bucket Access Logs are intended to help facilitate general data security and compliance requirements, as well as troubleshooting and monitoring.

      Enable Bucket Access Logs

      Bucket Access Logs are available to all paying customers. 

      Backblaze does not collect bucket access logs by default. To start collecting data on a bucket, you will need to enable access logging at the bucket level on the desired source bucket (the bucket for which you would like to monitor activity) and select a destination bucket to which Backblaze will deliver the logs.

      Destination Bucket for Bucket Access Logs 
      While it is possible to have logs delivered to the source bucket itself, every time a log is written to the source bucket, it will be logged as an event, resulting in an infinite log loop. For the sake of efficient log management, we recommend storing Bucket Access Logs in a separate bucket, referred to as a destination bucket. Please ensure that your destination bucket is in the same Backblaze account as your source bucket and uses the same region as your source bucket.

      You can use the Backblaze web console or S3-Compatible API to enable access logging on a bucket.

      Backblaze Web Console

      1. In the Backblaze web console, in the left navigation menu under B2 Cloud Storage, click Buckets and locate the bucket for which you would like to enable Bucket Access Logs.
      2. Click the Access Logs link to open the Bucket Access Logs configuration panel. 
      3. In the Access Logs panel, toggle Access Logging to Enabled
      4. Next, configure a Log File Destination bucket. This destination bucket will be the storage location for the source bucket’s access logs. Select the destination bucket from the dropdown menu. There is also an option to add a prefix to store the Bucket Access Logs in a specific folder in the destination bucket.
        The following are requirements for assigning a destination bucket to receive Bucket Access Logs:

        • Destination bucket must be a B2 Cloud Storage bucket.
        • Destination bucket and source bucket must be in the same account.
        • Destination bucket cannot have Object Lock enabled.
      5. (OptionaI) It is possible to select between two different log object key formats and date sources, depending on your needs. For more information on log object key formats, see below
      6. When you are finished with the configuration, click Update Bucket.

      S3-Compatible API

      Two S3-Compatible API operations are available for configuring and retrieving information on Bucket Access Logs:

      Please ensure that the application key used in your requests includes writeBucketLogging and readBucketLogging capabilities.

      Disable Bucket Access Logs

      You can use the Backblaze web console or S3-Compatible API to disable access logging on a bucket.

      Backblaze Web Console

      1. In the Backblaze web console, in the left navigation menu under B2 Cloud Storage, click Buckets and locate the bucket for which you would like to enable Bucket Access Logs.
      2. Click the Access Logs link to open the Bucket Access Logs configuration panel. 
      3. In the Access Logs panel, toggle Access Logging to Disabled
      4. Finally, click Update Bucket to save the changes.

      S3-Compatible API

      To disable logging, call the S3 Put Bucket Logging operation and use an empty BucketLoggingStatus in the request. For more information, please refer to the API documentation.

      Log Format

      Backblaze Bucket Access Logs consist of space-delimited fields, with each log record representing one request.

      Example Bucket Access Log: 

      5390fcd32749 test-bucket
[17/Apr/2025:22:47:56 +0000] 127.0.0.0 identity:applicationKey:1005390fcd337490000000086
ccad706cf1cb02c6 REST.S3_GET_OBJECT test.html
"GET /test.html?versionId=4_z85b369305f6c6d1393470419_f4178bc399f591e62_d20250113_m202432_c100_v0009990_t0001_u01736799872973
HTTP/1.1" 200 - - 71 43 43 "-"
"PostmanRuntime/7.43.3" - - SigV4 TLS_AES_256_GCM_SHA384 AuthHeader s3.us-east-005.backblazeb2.com TLSv1.3 - -

      Log Record Fields

      Backblaze Bucket Access Logs follow the AWS Bucket Access Log format, with the exception of the Access Point ARN and aclRequired fields. These two fields have empty default values because Amazon Resource Names (ARN) and access control lists (ACL) are not supported.

      This table describes the log record fields:

      Field NameDescriptionExample
      Bucket OwnerThe Backblaze account that owns the source bucket.5390fcd32749
      BucketThe name of the bucket that received the action or request.test-bucket
      TimeThe time at which the request was received in Coordinated Universal Time (UTC).[17/Apr/2025:22:47:56 +0000]
      Remote IPThe IP address of the requester.127.0.0.0
      IdentityThe Identity of the requester, or a - for unauthenticated requests. See the Identity Field Types for more information.identity:applicationKey:1005390fcd337490000000086
      Request IDA string generated by Backblaze to uniquely identify each request.ccad706cf1cb02c6
      OperationThe operation listed here is declared as REST.HTTP_method.resource_typeB2_API.resource, or BATCH.DELETE.OBJECT, or B2_LIFECYCLE.action.resource_type for Lifecycle actions.REST.GET.OBJECT
      KeyThe key (object name) part of the request.test.html
      Request-URI

          

      The Request-URI part of the HTTP request message.

      "GET /test.html?versionId=4_z85b369305f6c6d1393470419_f4178bc399f591e62_d20250113_m202432_c100_v0009990_t0001_u01736799872973

      HTTP/1.1"

      HTTP statusHTTP status code of response.200
      Error CodeError response code.NoSuchBucket
      Bytes SentNumber of bytes sent, excluding HTTP protocol overhead, - if zero.2772891
      Object SizeSize of object, - if zero.3462992
      Total TimeThe number of milliseconds that the request was in flight from the server's perspective. This value is measured from the time that your request is received to the time that the last byte of the response is sent.45
      Turn-Around TimeThe number of milliseconds that Backblaze spent processing your request. This value is measured from the time that the last byte of your request was received until the time that the first byte of the response was sent.5
      RefererHTTP Referer header, if present.
      User-AgentHTPP User-Agent header.“curl/7.15.1”
      Version IdVersion ID in the request or of the file in question for B2 requests.4_z85b369305f6c6d1393470419_f4178bc399f591e62_d20250113_m202432_c100_v0009990_t0001_u01736799872973
      Host IdThe x-amz-id-2 or Backblaze extended request ID.s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234=
      Signature VersionThe signature version used to authenticate the S3 requests. - for B2 requests.SigV4
      Cipher SuiteThe Transport Layer Security (TLS) cipher for the request.ECDHE-RSA-AES128-GCM-SHA256
      Authentication TypeThe type of request authentication used: AuthHeader for authentication headers, QueryString for query string, or a - for unauthenticated requests.AuthHeader
      Host HeaderThe endpoint used to connect to Backblaze.s3.us-west-2.backblaze.com
      TLS versionThe Transport Layer Security (TLS) version negotiated by the client.TLSv1.1, TLSv1.2, TLSv1.3, or - if TLS wasn't used.
      Access Point ARNBackblaze does not support this field so this value will be empty by default.
      aclRequiredBackblaze does not support this field so this value will be empty by default.

      Identity Field Types

      In addition to detailed records about requests made on a bucket, Bucket Access Logs also include identity fields that indicate the entity responsible for the action. For example, identity fields can provide information about the specific account that triggered a replication request or which internal Backblaze service is responsible for an action.

      Every identity string in a log has the identity: prefix to denote that they are values outside of the context of the log line from which they came.  Please see the table below for a complete list of identity fields.

      The following table describes the identity field types that may appear in your Bucket Access Logs:

      Field NameDescription
      identity:account:<accountId>The accountId associated with the account responsible for the action.
      identity:applicationKey:<applicationKeyId>The applicationKeyId associated with the application key that performed the action.
      identity:computer:<accountId>:<id>The accountId and unique identifier for the computer associated with the action.
      identity:systemAny internal Backblaze service responsible for an action.
      identity:admin:<id>An action performed by a Backblaze employee on an account, for example account suspension or implementing rate limits.
      identity:oauth:<provider>Identifies OAuth sessions that Backblaze opens with external OAuth providers if configured.
      identity:orguser:<userName>Users who are managed by their organization via Backblaze enterprise organization user management.
      identity:replication:<accountId>The accountId associated with the account that triggered a replication feature.
      IP addresses and other internal details relating to Backblaze system-triggered actions, such as an object deletion via a lifecycle rule, will be redacted in certain log entries.

      Log Object Key Format

      In order to support AWS S3-compatibility, Bucket Access Logs follow the AWS S3 naming pattern for object log names. 

      Example Log File Name: 

      prefix/0883dc05e9a6/us-west-100/example-log-name/2025/03/27/2025-03-27-15-12-52-[UniqueString]

      Bucket Access Logs can have two different log object key formats: 

      • Non-date-based partitioning – This is the default log object key format:
        [DestinationPrefix][YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]
      • Date-based partitioning – If you choose date-based partitioning, you can choose the event time or delivery time for the log file as the date source used in the log format. This format makes it easier to query the logs:[DestinationPrefix]/[SourceAccountId]/[SourceRegion]/[SourceBucket]/[YYYY]/[MM]/[DD]/[YYYY]-[MM]-[DD]-[hh]-[mm]-[ss]-[UniqueString]

      Log Delivery

      Bucket Access Logs will be delivered to your destination bucket on a best-effort basis. This means that, for most logs, you can expect delivery within a few hours of the log being first recorded. Please note that the time between a particular request on a bucket and when that request is recorded in the logs and delivered is not guaranteed. Additionally, logs may occasionally be incomplete and/or contain duplicate data. For this reason, we advise that Bucket Access Logs not be regarded as a complete accounting of all requests but instead, be used to indicate the nature of traffic to your bucket.

      Bucket Logging Status Changes
      Please note that changes made to the logging status of a bucket take time to take effect. For example, if you change your destination bucket from bucket A to bucket B, bucket A may continue to receive some logs for a short period. 
      Unsupported Actions

      Currently, actions related to the following will not be collected in Bucket Access Logs:


      Was this article helpful?
      What's Next