Skip to content
Snippets Groups Projects

Monitor your GitLab Dedicated instance

  • Tier: Ultimate
  • Offering: GitLab Dedicated

GitLab delivers application logs to an Amazon S3 bucket in the GitLab tenant account, which can be shared with you. To access these logs, you must provide AWS Identity and Access Management (IAM) Amazon Resource Names (ARNs) that uniquely identify your AWS users or roles.

Logs stored in the S3 bucket are retained indefinitely.

GitLab team members can view more information about the proposed retention policy in this confidential issue: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/483.

Request access to application logs

To gain read-only access to the S3 bucket with your application logs:

  1. Open a support ticket with the title Customer Log Access.

  2. In the body of the ticket, include a list of IAM ARNs for the users or roles that require access to the logs. Specify the full ARN path without wildcards (*). For example:

    • User: arn:aws:iam::123456789012:user/username
    • Role: arn:aws:iam::123456789012:role/rolename

Only IAM user and role ARNs are supported. Security Token Service (STS) ARNs (arn:aws:sts::...) cannot be used.

GitLab provides the name of the S3 bucket. Your authorized users or roles can then access all objects in the bucket. To verify access, you can use the AWS CLI.

GitLab team members can view more information about the proposed feature to add wildcard support in this confidential issue: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/7010.

Find your S3 bucket name

To find your S3 bucket name:

  1. Sign in to Switchboard.
  2. At the top of the page, select Configuration.
  3. In the Tenant details section, locate the AWS S3 bucket for tenant logs field.

For information about how to access S3 buckets after you have the name, see the AWS documentation about accessing S3 buckets.

S3 bucket contents and structure

The Amazon S3 bucket contains a combination of infrastructure logs and application logs from the GitLab log system.

The logs in the bucket are encrypted using an AWS KMS key managed by GitLab. If you choose to enable BYOK, the application logs are not encrypted with the key you provide.

The logs in the S3 bucket are organized by date in YYYY/MM/DD/HH format. For example, a directory named 2023/10/12/13 contains logs from October 12, 2023 at 13:00 UTC. The logs are streamed into the bucket with Amazon Kinesis Data Firehose.