 | Feedback |  |
![[Important]](images/important.png) | Important |
|---|---|
This section describes Beta functionality that is subject to change in future releases. Please provide feedback on this functionality in the Amazon S3 Developer Forum. |
Server access logs are written to the bucket of your choice, which can be the bucket from which the logs originate or a different bucket. If you choose a different bucket, it must have the same owner as the source bucket. Otherwise, no logs will be delivered.
![[Note]](images/note.png) | Note |
|---|---|
The source and the target buckets must be in the same location. For more information about bucket location constraints, see Location Selection. |
When a log file is delivered to the target bucket, it is stored under a key in the following format.
TargetPrefixYYYY-mm-DD-HH-MM-SS-UniqueString
In the key, YYYY, mm, DD, HH, MM and SS are the digits of the year, month, day, hour, minute, and seconds (respectively) when the log file was delivered.
A log file delivered at time 't' can contain records written at any point before time 't'. There is no way to know whether all log records for a certain time interval have been delivered or not.
The TargetPrefix component of the key is a string provided by the bucket owner using the logging configuration API. For more information, see Server Access Logging Configuration API.
The UniqueString component of the key carries no meaning and should be ignored by log processing software.
The system does not delete old log files. If you do not want server logs to
accumulate, you must delete them yourself. To do so, use the List operation
with the prefix parameter to locate old logs to delete. For more
information, see Listing Keys.
Log files will be written to the target bucket under the identity of
a member of the http://acs.amazonaws.com/groups/s3/LogDelivery
group. These writes are subject to the usual access control restrictions.
Therefore, logs will not be delivered unless the access control policy of
the target bucket grants the log delivery group WRITE access.
To ensure log files are delivered correctly, the log delivery group must also
have READ_ACP permission on the target bucket.
For more information about access control lists and groups, see
Authentication and Access Control. For more
information about correctly configuring your target bucket's access control policy,
see the Setting Up Server Access Logging.
Log files created in the target bucket have an access control list entry that
consists of a FULL_CONTROL grant to the bucket owner and grants to any users
specified through the TargetGrants element.
The server access logging feature is designed for best effort. You can expect that most requests against a bucket that is properly configured for logging will result in a delivered log record, and that most log records will be delivered within a few hours of the time that they were recorded.
However, the server logging feature is offered on a best-effort basis. The completeness and timeliness of server logging is not guaranteed. The log record for a particular request might be delivered long after the request was actually processed, or it might not be delivered at all. The purpose of server logs is to give the bucket owner an idea of the nature of traffic against his or her bucket. It is not meant to be a complete accounting of all requests.
