S3STAT

Self-Managed Setup has been Deprecated

We strongly recommend you use our Secure Setup Tool instead:


Learn More about the Secure Setup tool



Self-Managed Mode

Need help setting this up?

Our friends at Cloudberry Lab have integrated S3STAT Self-Managed logging into Cloudberry Explorer.

It's a great tool for managing your S3 and Cloudfront distributions, and now it will help you set up your buckets to play nice with S3STAT!


It is possible to set up your own S3 Buckets in such a way that we can process them for you without needing your AWS credentials. It's a lot of effort, and not for the feint of heart, but it's certainly doable.

In a nutshell, you'll need to set up Server Access Logging manually, with a Logging Instruction that will send logfiles to a location in your bucket that matches our way of doing things, along with a Grant to give us READ permission for the generated files. You'll also need to give us FULL_CONTROL over the bucket in question.

Simple eh? Not really. Here are some more detailed instructions for how to pull this off.




Note:

At the moment, there in no way to configure Cloudfront distributions in self-managed mode.

Cloudfront doesn't yet allow you to change the ACL for delivered logfiles, which means we can't read them unless we have your AWS credentials.

Never fear, though. We're working with the Cloudfront team to make this possible.


Permissions

You'll need to modify the ACL for the bucket in question to include the grants that Amazon will need to deliver logfiles to the bucket, as well as a grant that allows us to read and write the files we'll need to generate your reports.

If you're editing the XML for the ACL directly, here is what those Grants will look like (Grants needed for log delivery are in blue, while the Grant needed for S3STAT is in green:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <AccessControlList>
        <Grant>
            <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
                <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI>
            </Grantee>
            <Permission>READ_ACP</Permission>
        </Grant>
        <Grant>
            <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
                <URI>http://acs.amazonaws.com/groups/s3/LogDelivery</URI>
            </Grantee>
            <Permission>WRITE</Permission>
        </Grant>
        <Grant>
            <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail">
                <EmailAddress>s3stat@s3stat.com</EmailAddress>
            </Grantee>
            <Permission>FULL_CONTROL</Permission>
        </Grant>
    </AccessControlList>
</AccessControlPolicy>

You can learn more about this piece by reading the section of Amazon's Server Access Logging Setup Tutorial titled "Preparing the Target Bucket". Keep in mind, though, that you'll also need to add that grant for s3stat@s3stat.com.

NOTE: Do not attempt to make any ACL changes with S3fox. It has a bug that mis-writes ACL changes in a way that effectively disables Server Access Logging. Read more about this bug here.

Logging Setup

Next, you'll need to set up Server Access Logging on the bucket to be logged. S3STAT requires that logs be delivered back to the bucket being logged, and prefixed with the string "log/access_log-".

If you simply copy & paste the logging XML below, substituting your own bucketname in the right place, you should be fine:

<?xml version="1.0" encoding="UTF-8"?>
<BucketLoggingStatus xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <LoggingEnabled>
        <TargetBucket>bucketname</TargetBucket>
        <TargetPrefix>log/access_log-</TargetPrefix>
        <TargetGrants>
            <Grant>
                <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AmazonCustomerByEmail">
                    <EmailAddress>s3stat@s3stat.com</EmailAddress>
                </Grantee>
                <Permission>FULL_CONTROL</Permission>
            </Grant>
        </TargetGrants>
    </LoggingEnabled>
</BucketLoggingStatus>

You can learn more about this step by reading the section of Amazon's Server Access Logging Setup Tutorial titled "Enabling Server Access Logging on the Source Bucket".

S3STAT Setup

If you followed the steps above, then you should be good to go. Logs will start arriving in your bucket, and we will be able to read them.

At this point, you'll want to go ahead and sign up for S3stat if you haven't done so already. Once your account is up and running, you can go ahead and set up a self-managed bucket.

With luck, it should be self-explanatory from there!

Set up a Self-Managed Bucket



Disclaimer

I want to warn you one last time, in case you didn't notice it above: THIS IS HARD. It requires considerable effort, skill, and a bit of luck on your part to pull it off. There is every possibility that it simply won't work.

But here's the thing. The reason we can offer this service so cheaply is that our customers are generally pretty bright and don't need a lot of hand holding. For that reason, we cannot offer any help or support with self-managed accounts.

Chances are, nothing will go wrong, but if it does, you'll either need to figure it out on your own or fall back on our simple, painless, full-service way of doing things.

Thanks for your understanding, and Good luck!


© 2024 Expat Software Back to Top