Ship logs to your S3 bucket

  • Published on Nov 14, 2025
Prev Next

Itential provides log shipping capabilities to deliver your application logs directly to your AWS S3 bucket. This service automatically replicates logs from Itential's secure infrastructure to your designated storage location, giving you direct access to your application logs for analysis, monitoring, and compliance purposes.

How it works

Log shipping uses AWS S3 cross-account replication to securely transfer logs from Itential's source bucket to your destination bucket. This approach ensures:

  • Security: Logs are encrypted in transit and at rest
  • Reliability: Automatic replication with AWS's built-in durability
  • Performance: Direct S3-to-S3 transfer without intermediate processing
  • Cost-effective: No additional compute resources required

Available log types

Web server logs

  • HTTP access logs from your Itential application
  • Request/response data and performance metrics
  • Available for all environments (dev, staging, production)

Prerequisites

To set up log shipping, you need:

  • An AWS account and destination AWS S3 bucket
  • An AWS Key Management Service (KMS) customer-managed key (if you use encryption)
  • Permissions to configure AWS Identity and Access Management (IAM) policies and AWS KMS permissions
  • Permissions to configure S3 bucket policies to allow Itential to send logs to S3

You don't need to create or configure any AWS Identity and Access Management (IAM) roles. The setup only requires updating resource policies on your S3 bucket and KMS key to trust Itential's role.

Set up log shipping

Step 1: Contact your Itential Customer Success Manager

Initial setup of Itential Cloud Log Shipping requires coordination with the Itential team to complete the configuration. Your Customer Success Manager (CSM) can coordinate this process for you. If you are not sure who to contact, you can email customersuccess@itential.com or open an Itential Support Desk ticket.

Step 2: Send S3 details to your Customer Success Manager

Provide the following information to Itential:

  • Destination bucket region: (for example, us-east-1)
  • Destination bucket account ID: Your AWS account ID
  • Destination bucket name: Your S3 bucket name
  • Designation bucket S3 bucket key (optional): (if using AWS KMS encryption)

Itential provides you the following information to add to your policies:

  • SOURCE_ACCOUNT_ID: Itential's AWS account ID
  • SOURCE_REPLICATION_ROLE: Itential's replication service role name

Step 3: Prepare destination bucket

Create or identify an S3 bucket in your AWS account where logs are delivered.

Important

Ensure your bucket has versioning enabled for replication to work properly.

aws s3api put-bucket-versioning \
  --bucket YOUR_BUCKET_NAME \
  --versioning-configuration Status=Enabled

Step 4: Configure S3 bucket policy

This policy grants Itential's replication service permission to write logs to your S3 bucket and manage versioning settings. The policy uses a specific IAM role to ensure only Itential's designated replication service can access your bucket.

Apply the following bucket policy to your destination S3 bucket. Replace the placeholder values with your actual values:

{
    "Version": "2012-10-17",
    "Id": "ItentialLogReplicationPolicy",
    "Statement": [
        {
            "Sid": "AllowItentialReplication",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
            },
            "Action": [
                "s3:ReplicateObject",
                "s3:ObjectOwnerOverrideToBucketOwner"
            ],
            "Resource": "arn:aws:s3:::CUSTOMER_BUCKET_NAME/*"
        },
        {
            "Sid": "AllowBucketOperations",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
            },
            "Action": [
                "s3:GetBucketVersioning",
                "s3:PutBucketVersioning"
            ],
            "Resource": "arn:aws:s3:::CUSTOMER_BUCKET_NAME"
        }
    ]
}

Step 5: Configure KMS key policy (optional)

This policy grants Itential's replication service permission to encrypt and decrypt logs using your customer-managed KMS key when writing to your bucket. The policy allows encryption operations and temporary grants for AWS service integrations only.

If your destination bucket uses KMS encryption, update your KMS key policy. Replace SOURCE_ACCOUNT_ID and SOURCE_REPLICATION_ROLE with values provided by Itential:

{
  "Sid": "Rep Allow use of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::ITENTIAL_ACCOUNT_ID:role/service-role/ITENTIAL_ROLE_ID"
  },
  "Action": [
    "kms:Encrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Data retention

  • Itential storage: Logs are retained in Itential's infrastructure according to your service agreement and contractual data retention policies.
  • Customer storage: You control retention policies for logs delivered to your bucket.
  • Replication window: New logs are typically replicated within minutes of generation.

Security considerations

  • All log data is encrypted in transit using AWS's secure replication mechanisms
  • Access to your destination bucket remains under your complete control
  • Itential's replication role has minimal permissions (write-only access to your designated bucket)
  • No Itential personnel have access to your destination bucket or its contents

Monitoring and verification

Verify replication status

You can monitor replication using AWS CloudWatch metrics or by checking your bucket contents:

# List recent log files
aws s3 ls s3://YOUR_BUCKET_NAME/iap-webserver-logs/ --recursive --human-readable

# Download a sample log file
aws s3 cp s3://YOUR_BUCKET_NAME/iap-webserver-logs/path/to/logfile.log ./sample.log

Log file structure

Logs are organized in your bucket using the following structure:

YOUR_BUCKET_NAME/
├── iap-webserver-logs/
│   ├── your-environment-dev/
│   │   └── YYYY/MM/DD/
│   ├── your-environment-stg/
│   │   └── YYYY/MM/DD/
│   └── your-environment-prod/
│       └── YYYY/MM/DD/

Manage retention

Itential retains logs according to your service agreement. You control retention for logs in your bucket using S3 lifecycle policies.

Troubleshooting

Common issues

Export isn't working

Verify bucket versioning is enabled, check that policy syntax and account IDs are correct, and confirm KMS key policy includes Itential's replication role

Access denied errors

Verify your AWS account ID matches the configuration provided to Itential and that the bucket policy principal matches Itential's role ARN

Missing logs

Log export can take up to 24 hours after initial setup. Verify your bucket region matches the configuration

What's next

After setup is complete:

  • Monitor initial replication: Check your bucket for log files within 24 hours
  • Set up processing: Configure your log analysis tools to consume from your S3 bucket
  • Establish monitoring: Configure CloudWatch alarms to monitor log delivery
  • Plan retention: Create S3 lifecycle policies based on your retention requirements

Get support

For technical support or questions about log shipping setup:

  • Technical Issues or general questions: Submit a support ticket through the Itential Service Desk (ISD) portal
  • AWS-specific questions: Consult AWS documentation or your internal AWS support team