Monitor your GitLab Dedicated instance
GitLab delivers application logs to an Amazon S3 bucket in the GitLab tenant account, which can be shared with you.
Logs stored in the S3 bucket are retained indefinitely, until the one year retention policy is fully enforced. GitLab team members can view more information in confidential issue 483.
Request access to application logs
To gain read only access to the S3 bucket with your application logs:
- Open a support ticket with the title
Customer Log Access. -
In the body of the ticket, include a list of IAM Principal Amazon Resource Names (ARNs) that require access to the logs from the S3 bucket. The ARNs can be for users or roles.
Specify the full ARN path without wildcards (*). Wildcard characters are not supported. GitLab team members can read more about the proposed feature to add wildcard support in this confidential issue: 7010.
GitLab provides the name of the S3 bucket. Your authorized users or roles can then access all objects in the bucket. To verify access, you can use the AWS CLI.
S3 bucket contents and structure
The Amazon S3 bucket contains a combination of infrastructure logs and application logs from the GitLab log system.
The logs in the bucket are encrypted using an AWS KMS key managed by GitLab. If you choose to enable BYOK, the application logs are not encrypted with the key you provide.
The logs in the S3 bucket are organized by date in YYYY/MM/DD/HH format. For example, a directory named 2023/10/12/13 contains logs from October 12, 2023 at 13:00 UTC. The logs are streamed into the bucket with Amazon Kinesis Data Firehose.