VPC Flow logs
- VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
- Helps to monitor & troubleshoot connectivity issues.
Three types of flow logs
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow Logs
- You can create flow logs for network interfaces that are created by other AWS services, such as — Elastic Load Balancing, Amazon RDS, Amazon ElastiCache, Amazon Redshift, Amazon WorkSpaces, NAT gateways, Transit gateways.
- Query VPC flow logs using Athena on S3 or CloudWatch Logs Insight.
Flow Log Syntax
<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log- status>
- <version> — The VPC Flow Logs version. The defaults version is 2.
- <account-id> — The AWS account ID of the owner of the source network interface for which traffic is recorded.
- <interface-id> — The ID of the network interface for which the traffic is recorded.
- <srcaddr> — The source address for incoming traffic.
- <dstaddr> — The destination address for outgoing traffic.
- <srcport> — The source port of the traffic.
- <dstport> — The destination port of the traffic.
- <protocol> — The IANA protocol number of the traffic
- <packets> — The number of packets transferred during the flow.
- <bytes> — The number of bytes transferred during the flow.
- <start> — The time, in Unix seconds, when the first packet of the flow was received within the aggregation interval.
- <end> — The time, in Unix seconds, when the last packet of the flow was received within the aggregation interval.
- <action> The action that is associated with the traffic:
ACCEPT — The recorded traffic was permitted by the security groups and network ACLs.
REJECT — The recorded traffic was not permitted by the security groups or network ACLs.
- <log- status>- The logging status of the flow log:
OK — Data is logging normally to the chosen destinations.
NODATA — There was no network traffic to or from the network interface during the aggregation interval.
SKIPDATA — Some flow log records were skipped during the aggregation interval. This may be because of an internal capacity constraint, or an internal error.
Flow logs reference — https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
AWS flow logs with Athena — https://docs.aws.amazon.com/athena/latest/ug/vpc-flow-logs.html