LinkedIn
Copied!

Table of Contents

Accessing your logs using an external Amazon S3 bucket

As a Pega Cloud Services client, you can stream your log files directly to an Amazon S3 bucket within your enterprise Amazon Web Services account. Streaming logs directly to your Amazon S3 bucket gives you the flexibility and control of immediate access to your log files without relying on third-party integrations or Pega-provided services. Log streaming gives you continual access to your Pega Platform logs in any of your Pega Cloud environments.

Before you can begin streaming log files to your Amazon S3 bucket, you must create your S3 bucket and collect necessary artifact information, such as follows:
  • Set up an Amazon S3 bucket as your log streaming destination.

    For more information about creating S3 buckets, see the AWS documentation Creating, configuring, and working with Amazon S3 buckets.

  • Determine the encryption format in which the service delivers logs to your repository. Supported formats include:
    • GZIP
    • HADOOP_SNAPPY
    • Snappy
    • ZIP
    • Uncompressed
  • Determine the type of customer master key (CMK) encryption that you want to use.

    For more information about CMK encryption, see the AWS documentation (AWS KMS) Custom Master Keys (CMKs).

  • Obtain the Amazon Resource Names (ARNs) of the following artifacts that you must provide to Pega Cloud Services:
    • Your Amazon S3 custom master keys (CMKs) ARN

      For example, arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

      For more information, see the AWS article Finding the key ID and ARN.

    • Your Amazon S3 bucket name ARN

      For example, arn:aws:se::::bucket-name

      For more information, see the AWS article Amazon Resource Names.

  1. Make a request to stream logs to your Amazon S3 bucket by clicking the New Request tab in My Support Portal.

  2. Provide your Amazon S3 bucket name, CMK key, and the encryption format that you want your log files to be sent in to your S3 bucket. Choose from one of the following methods:

    Transferring secure files by Box
    1. Log in to your My Support Portal account.
    2. In the header of My Support Portal, click New request For something I need .

      New request in My Support Portal

    3. In the Details section of the request, request a file transfer using Box.
    4. Continue through the form, then click Finish.

      The Pega Support team sends you a Box link.

    5. Upload a text file that contains the bucket name, CMK key, and the encryption format for your log files to the Box folder.

    Archiving your Amazon S3 log streaming information with a password

    1. Log in to your My Support Portal account.
    2. In the header of My Support Portal, click New request For something I need .
    3. In the Details section of the request, click Add attachments and add a text file that contains the bucket name, CMK key, and the encryption format that you want your log files to be sent in as a compressed archive that is password protected.
    4. Continue through the form, then click Finish to send the archive file with your service request.
    5. Contact the Pega Support team by email or call and tell them the password.

    Allowing Pegasystems Inc. to download the file from your personal SFTP server

    1. Log in to your My Support Portal account.
    2. In the header of My Support Portal, click New request For something I need .
    3. Upload a text file that contains the bucket name, CMK key, and the encryption format that you want your log files to be sent in to your personal Secure File Transfer Protocol (SFTP) server.

      For more information about SFTP, see Pega Cloud SFTP service.

    4. Contact the Pega Support team by email or by calling and give them the credentials for the SFTP server.

    After the Pega Cloud Services team receives your request and your Amazon S3 bucket details, in the request reply, Pega Cloud Services sends you two Amazon Resource Names (ARNs) that define the IAM policies that you require to stream logs to your Amazon S3 bucket in the following formats:

    <client>-delivery-stream-role ARN
    Grants the streaming service access to your Amazon S3 bucket
    PEGA_CFN_ROLE_ARN
    Declares the resource for the log streaming service
  3. Sign into your Amazon S3 console.

  4. Select the bucket to which you want to add the Amazon S3 log streaming service.

  5. Click Permissions, then enter the <client>-delivery-stream-role ARN in the bucket policy editor.

    For example:
    • {
    • "Sid": "StmtID",
    • "Effect": "Allow",
    • "Principal": {
    • "AWS": "<client>-delivery-stream-role ARN"
    • },
    • "Action": [
    • "s3:AbortMultipartUpload",
    • "s3:GetBucketLocation",
    • "s3:GetObject",
    • "s3:ListBucket",
    • "s3:ListBucketMultipartUploads",
    • "s3:PutObject",
    • "s3:PutObjectAcl"
    • ],
    • "Resource": [
    • "arn:aws:s3:::customer-S3-bucket",
    • "aarn:aws:s3:::customer-S3-bucket/*"
    • ]
    • }
  6. Click Save changes.

    For more information about adding a policy to your Amazon S3 bucket, see the AWS documentation Adding a bucket policy using the Amazon S3 console.

  7. Sign into your AWS KMS console.

  8. In the navigation pane, click Customer managed keys.

  9. Select the S3 CMK.

  10. Select the Key policy tab, and in the key policy editor add the PEGA_CFN_ROL_ARN and <client>-delivery-stream-role ARNs.

    For example:

    • {
    • "Sid": "Enable Initial Create Grant",
    • "Effect": "Allow",
    • "Principal": {
    • "AWS": "<PEGA_CFN_ROLE ARN>"
    • },
    • "Action": "kms:CreateGrant",
    • "Resource": "CMK-Key"
    • },
    • {
    • "Sid": "Enable Firehose KMS Access",
    • "Effect": "Allow",
    • "Principal": {
    • "AWS": "<<client>-delivery-stream-role ARN>"
    • },
    • "Action": [
    • "kms:Encrypt",
    • "kms:Decrypt",
    • "kms:ReEncrypt*",
    • "kms:GenerateDataKey*",
    • "kms:DescribeKey",
    • "kms:CreateGrant"
    • ],
    • "Resource": "CMK-Key"
    • }

    For more information about adding a policy to your Amazon S3 bucket, see the AWS documentation Adding a bucket policy using the Amazon S3 console.

  11. Click Save changes.

Your logs immediately begin streaming, and you can now search for your Pega logs in your Amazon S3 bucket. For example, PegaCLUSTER and PegaRULESV1.
Suggest Edit

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.