Publish flow logs to CloudWatch Logs

by | Aug 25, 2022 | AWS, Blog | 0 comments

Did you know you can log IP traffic to and from network interfaces in your VPC using the VPC Flow Logs functionality? 

Go through this blog to find out how!

Where are the flow logs stored? Amazon CloudWatch Logs or Amazon S3 are two places where data from flow logs can be stored. After it has been created, a flow log can be retrieved and its contents viewed in the location you select.

You may use flow logs to help with a number of tasks, such as: Identifying security group rules that are too restrictive; Monitoring the traffic that is coming to your instance; and Determining the direction of the traffic to and from the network interfaces.

It has no effect on throughput or latency because flow log data is gathered outside of the path of your network traffic. The creation and deletion of flow logs have no impact on the performance of the network. You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.

Publishing flow logs to CloudWatch Logs

IAM roles for publishing flow logs to CloudWatch Logs

The IAM policy that is attached to your IAM role must include at least the following permissions.

Also, ensure that your role has a trust relationship that allows the flow logs service to assume the role.

Create a VPC flow log that publishes to CloudWatch Logs

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Your VPCs or choose Subnets.
  3. Select the checkbox for one or more VPCs or subnets and then choose Actions, Create a flow log.
  1. For Filter, specify the type of traffic to log. Choose All to log accepted and rejected traffic, Reject to log only rejected traffic, or Accept to log only accepted traffic.
  1. For Maximum aggregation interval, choose the maximum period during which a flow is captured and aggregated into one flow log record.
  1. For Destination, choose Send to CloudWatch Logs.
  2. For the Destination log group, choose the name of the destination log group that you created.

(If not created – create one)

  1. For IAM role, specify the name of the role that has permissions to publish logs to CloudWatch Logs.
  1. For the Log record format, select the format for the flow log record.
  • To use the default format, choose AWS default format.
  • To use a custom format, choose Custom format and then select fields from Log format.
  • To create a custom flow log that includes the default fields, choose AWS default format, copy the fields in Format preview, then choose Custom format and paste the fields in the text box.
  1. (Optional) Choose Add new tag to apply tags to the flow log.
  2. Choose Create flow log.

Viewing log events in CloudWatch

Opening the CloudWatch console and selecting the previously created log group.

Analyzing the events using Logs Insights

Select Log Insights from the left Navigation pane, and then specify the log group. Choose the provided query and then run it to view the result.

Change the query as per the requirement

Submit a Comment

Your email address will not be published.