Upload Production Logs to Amazon

Provisioning Alexa Connect Kit (ACK) devices for production generates two types of logs: audit logs (for Matter devices only) and control logs. You upload these logs to Amazon as follows:

• During module provisioning, the ACK server generates audit logs for all events relating to Matter certificates, such as certificate signing requests (CSRs). You must upload these logs to Amazon at least every 24 hours. After two days of logs not uploaded, the server stops operating to remind you to upload the logs.

  CSA Audit Log Requirements
  
  Sending audit logs is a requirement from the Connectivity Standards Alliance (CSA) Matter Public Key Infrastructure (PKI) Certificate Policy. The CSA governs the Matter PKI and provides requirements for the Matter PKI certificates, including audit log procedures. For more details, see CSA PKI Certificate Policy.

• Amazon uses control logs to track the encoded identifier of a device or a multi-device package to enable Frustration Free Setup (FFS).
  
  There are two types of control logs: device and bundle. You generate device control log files that define individual devices during module provisioning. Bundle control log files define package groupings of devices sold as a multi-device package. Devices sold within a bundle have a device control log file and a bundle control log file. You generate the device control log during module programming and the bundle control log during pre-shipment.

  Amazon Control Log Requirements
  
  Upload control logs every day or after each production run. Make sure you confirm the upload by waiting for the feedback file. Real-time upload of control logs during the production process isn't required.

Prerequisites

Contact your ACK support engineer to create audit log and control log Amazon Web Services (AWS) S3 buckets for your Amazon vendor ID associated with your AWS developer account. Provide the canonical ID of your AWS developer account. You can use these buckets for all ACK products under the same developer account.

Upload audit logs

Provisioning generates a new audit log file each day. The audit log file name has the following format: AUDIT_LOG_<device-type>_YYYYMMDD.txt and resides in the audit_logs_upload folder under the data folder on the server. You pass the data folder name to the ACK server on startup. The server archives the previous days audit log in a zip file in the same folder.

To upload an audit log to Amazon

1. Navigate to the audit_logs_upload folder under the data folder on your server.
2. Move all zip files in the audit_logs_upload folder to a temporary folder or USB drive.
3. Copy the audit log for the current day to the temporary folder or USB drive.
4. To access the audit log S3 bucket, complete the following steps:
5. Sign in to the AWS console with your Amazon developer account.
6. Navigate to the audit log bucket with your vendor ID: https://s3.console.aws.amazon.com/s3/buckets/<lowercase-vendor-id>-audit-logs.
   To view your Amazon vendor ID, open Customer Details.
   <div markdown="span" class="alert alert-success" role="alert"> Tip: To find your audit log bucket later, bookmark this link.</div>
7. Create a folder for your device type ID, if the folder doesn't exist.
8. On a machine with internet access, upload the files to the audit log bucket.
   Tip: It's OK to upload the same file twice. If you already uploaded the audit log from the previous day and the ACK server regenerates the audit log file to store new data, make sure to re-upload the log file.
9. Verify the upload succeeded, and then store the results in the database.

Automate audit log upload

To make sure that audit logs upload to the S3 bucket at least every 24 hours, you can automate the process by using the AWS CLI.

To automate the audit log upload to Amazon

1. Sign in to the AWS console with your Amazon developer account.
2. In the AWS Identity and Access Management (IAM) console, create an IAM user with S3 write permission, and then create an access key and copy its secret. For more details, see Identity and Access Management for Amazon S3.
3. In a terminal window, at the command prompt, enter the following command to configure the CLI with the S3 access key.
   At the prompt, enter the IAM account access key and secret.

aws configure

4. To upload the audit log file, in a terminal window, enter the following command at the command prompt.

aws s3 cp <audit-log-file> s3://<lowercase-vendor-id>-audit-logs/<device-type-id>/

Generate and upload control logs

In this step, you generate and upload control logs from your server. You can create control logs for locked modules only. You upload the control logs to the SFTP endpoint created in Step 4: Set up the server. To confirm the upload succeeded, view the feedback file. For more details about the format of control logs, see Control Log Specification.

To generate and upload control logs

1. Stop the ACK server so that it doesn't modify the data during the upload.
2. To generate control logs on your server, in a terminal window, run the following command at the command prompt.

servertools generate-control-log -d <device_type> --device-type-data-path <path/to/data/folder>

3. To copy the generated logs to a USB drive or temporary file location, at the command prompt, run the following command.

servertools copy-control-log -d <device_type> --device-type-data-path <path/to/data/folder> --destination <path/to/destination>

4. To copy the files to the SFTP endpoint and receive feedback files, enter the following command at the command prompt.
   Use the upload and feedback endpoints that you created on the FFS > Control Logs console.
   Tip: The command scans the folder for new control log files, uploads the files, and then waits until the feedback files are ready. The Amazon server generates one feedback file per device.

servertools upload-control-log -d <device_type> --device-type-data-path <path/to/data/folder> --upload-endpoint=<UPLOAD_ID>@na-sftp.amazonsedi.com:22 --feedback-endpoint=<FEEDBACK_ID>@na-sftp.amazonsedi.com:22 -k <path/to/control_log_key> -p <control_log_key_passphrase> -l DEBUG

5. Within 30 minutes, download and view the feedback files for errors.
6. Verify the upload succeeded, and then store the results in the database and remove the feedback files from the endpoint.
7. If the upload failed, review the logs, correct any errors, and then repeat steps 4 and 5.

Automate control log upload

The ACK SDK tool package has a reference implementation that stores control logs of 500 devices at a time for batch upload. You can find the control_logs_help.py file in matter\server_tools\helper in your acksdktools directory.

Related topics

• Manufacture your ACK-based Matter Device
• Set Up Client - Server Machines for Production
• Provision ACK Modules for Production

Last updated: frontmatter-missing