# AWS NLB ## Overview {% hint style="info" %} AWS NLB log ingestion is in [open beta](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/data-onboarding/resources/help/glossary.md#beta-features) starting with Panther version 1.118, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther supports ingesting Amazon Web Services (AWS) Network Load Balancer (NLB) logs via AWS S3. {% hint style="info" %} AWS NLB access logs only support TLS listeners. TCP and UDP listeners do not generate access logs. {% endhint %} ## How to onboard AWS NLB logs to Panther To pull NLB logs into Panther, set up an S3 bucket in the Panther Console to stream data from your AWS account. 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New.** 3. Search for "AWS Network Load Balancer," then click its tile. 4. In upper right-hand corner, click **Start Setup**. 5. Follow [Panther's documentation for configuring S3 for data transport](https://docs.panther.com/data-onboarding/data-transports/aws/s3). ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for AWS in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules). ## Supported NLB logs ### AWS.NLB Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. For more information, see [AWS's documentation on NLB access logs](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html). ```yaml schema: AWS.NLB parser: native: name: AWS.NLB description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html fields: - name: type required: true description: The type of request or connection. type: string - name: version required: true description: The log format version. type: string - name: time required: true description: The time when the connection was closed. type: timestamp timeFormat: rfc3339 - name: elb description: The resource ID of the load balancer. type: string - name: listener description: The resource ID of the TLS listener. type: string - name: clientIp description: The IP address of the client. type: string - name: clientPort description: The port of the client. type: bigint - name: destinationIp description: The IP address of the destination. type: string - name: destinationPort description: The port of the destination. type: bigint - name: connectionTime description: The total time of the connection in milliseconds. type: bigint - name: tlsHandshakeTime description: The total time for the TLS handshake in milliseconds. type: bigint - name: receivedBytes description: The number of bytes received from the client. type: bigint - name: sentBytes description: The number of bytes sent to the client. type: bigint - name: incomingTlsAlert description: The TLS alert code if an alert was received. type: bigint - name: chosenCertArn description: The ARN of the certificate presented to the client. type: string - name: chosenCertSerial description: Reserved field. type: string - name: tlsCipher description: The TLS cipher suite negotiated. type: string - name: tlsProtocolVersion description: The TLS protocol version. type: string - name: tlsKeyExchange description: The TLS key exchange algorithm. type: string - name: domainName description: The SNI hostname provided by the client. type: string - name: alpnFeProtocol description: The protocol negotiated with the client via ALPN. type: string - name: alpnBeProtocol description: The protocol negotiated with the backend via ALPN. type: string - name: alpnClientPreferenceList description: The list of protocols in the ALPN preference list presented by the client. type: array element: type: string - name: tlsConnectionCreationTime description: The time when the TLS connection was established. type: timestamp timeFormat: rfc3339 ```