To ingest AWS Elastic Load Balancer access
(useful for visualizing questions such as “Which backend servers are taking the
longest to answer requests?” or “Which calls to our app are returning non-200
HTTP status codes?”) Honeycomb provides a tool called
The source is available on Github and instructions for getting started are provided here.
Please use the following instructions to install
honeyelb. It is available as
part of the Honeycomb AWS Bundle or
as a standalone binary.
wget -q https://honeycomb.io/download/honeyaws/honeyaws_1.186_amd64.deb && \ echo 'c76cbc5636697ed39c17bc2a723eb4f4e1b01722030134bdaf0ae5955e51ff35 honeyaws_1.186_amd64.deb' | sha256sum -c && \ sudo dpkg -i honeyaws_1.186_amd64.deb
wget -q https://honeycomb.io/download/honeyaws/honeyaws-1.186-1.x86_64.rpm && \ echo '5b09a7a72729b8ea6c8ebc125f04ee5b2b3b24fb60e2775d9757ada7f450af62 honeyaws-1.186-1.x86_64.rpm' | sha256sum -c && \ sudo rpm -i honeyaws-1.186-1.x86_64.rpm
wget -q -O honeyelb https://honeycomb.io/download/honeyaws/honeyelb/1.186 && \ echo 'e30c291af383ebb9a0a41b3308546fa70f9559bb5cb05614da4f9c76bcdca49b honeyelb' | sha256sum -c && \ chmod 755 ./honeyelb
honeyelb assumes access to an AWS access key ID and AWS secret access key with
the proper permissions. It will attempt to obtain these via the default profile
~/.aws/config, by the proper environment variables, or by an IAM EC2
instance profile. See the AWS guide on providing
for more details.
See the provided IAM policy
JSON in the
honeyelb repository for one example of a policy which has the proper
permissions. This can be scoped down to more specific resources if desired.
honeyelb can be used interactively (meant for beginning exploration,
debugging credential management, etc.) or as a daemon. Try running some
commands interactively at first to get a feel for using the tool and then
configure it to run as a proper system service when you’re ready to be
To show all ELBs, you can invoke
$ honeyelb ls frontend internal-service service-proxy
To ingest access logs from an ELB, use
honeyelb ingest with one or more ELB
--writekey flag must be set to your write key (we have included yours in the examples below).
By default the events will be sent to a dataset called
Note: If access logs are not configured for the ELB it will throw an error. Please see enable access logs for your Classic Load Balancers to enable this feature.
e.g. Ingesting logs from one ELB named
$ honeyelb --writekey=WRITEKEY \ ingest frontend ...
You are currently logged in to the
so we have populated the write key here to the first write key for that team.
Ingesting logs from multiple specific load balancers (named
$ honeyelb --writekey=WRITEKEY \ ingest frontend internal-service service-proxy ...
honeyelb ingest without any arguments will use all available (“described”)
load balancers in your configured AWS region. With arguments, it will ingest
logs for the specified load balancer names.
$ honeyelb --writekey=WRITEKEY \ ingest ...ingesting logs from all LBs in DescribeLoadBalancers...
The agent will drop state files (to avoid sending duplicate events) in the
current working directory where it is invoked by default. To modify where these
files are kept, use the
honeyelb, while supporting a interactive workflow for initial discovery and
experimentation, is meant to be invoked as a long-running process by a system
To do this, edit the system init files (Upstart and systemd are supported) installed by the package manager to add the write key.
Once you receive data from
honeyelb you will want to explore it. The
descriptions of the sent fields is available in the AWS documentation for ELB
There is one small difference: the
backend:port keys from
that guide are represented as
backend_authority in the
Here are some suggestions for things to try:
MAX(backend_processing_time)to see which server(s) answered your slowest requests
P99(backend_processing_time)to see which endpoints (URL paths) take the longest
P99(backend_processing_time)to see which ELBs returned the most HTTP status code 200, 404, 500 etc. responses
MIN()to see when backends have timed out (timeouts are represented by -1 response time in the ELB access logs)