Accessing VPC Flow Logs for Reading – Logging and Monitoring – SCS-C02 Study Guide

Accessing VPC Flow Logs for Reading

After you have enabled VPC Flow Logs, the next step is to figure out how you will access them to take advantage of the data that has been collected.

You can access your logs via the AWS Management Console. Since the logs will be stored in S3, you can access them if an appropriate period of time has passed:

  1. Start by logging in to the S3 console. You can quickly use the following URL to visit the S3 service: https://packt.link/jlula.
  2. After you are logged in to S3, navigate to the bucket you created in step 3 of the previous exercise. In this case, the bucket was named packt-security-logs.
  3. Click on the bucket name to be taken to the folders inside the bucket. You should see a folder named bucketnameLogs (see the following figure). Click on this folder.

Figure 7.4: S3 bucket selection for VPC Flow Logs

  • Once inside the folder, you will see the logs generated by date. Choose any of the files and click on it. Once on the file page, click on Download to download the file locally and open up the file in a text editor.

Figure 7.5: VPC Flow Logs file download screen

The next important step after accessing your VPC Flow Logs (as stored in the previously created S3 bucket) is to is to look at the contents of one of the log files. This is covered in the next section.

Parsing the Content of VPC Flow Logs

AWS VPC Flow Logs contain information about the traffic through the network interfaces in your VPC, including the source and destination IP addresses, protocol, port numbers, packet and byte counts, and timestamps. The following is an example of the information contained in a VPC Flow Logs record:

2 123456789010 eni-01234567890123456 10.0.0.101 10.0.0.201 443 1234 6 10 500 1617087245 1617087301 ACCEPT OK

The following dissects the fields in this example so you know what they mean:

  • 2: This is the version of the VPC Flow Logs format.
  • 1234567890: This is the AWS account ID for the owner of the network interface.
  • eni-01234567890123456: This is the ID of the elastic network interface (ENI) that captured the traffic.
  • 10.0.0.101: This is the source IP of the traffic or where the request originated from.
  • 10.0.0.201: This is the destination address of the traffic.
  • 6: This is the IP protocol number (TCP in this case).
  • 10: This is the number of packets in the flow.
  • 500: This is the number of bytes in the flow.
  • 1617087245: This is the start time of the flow, in Unix time.
  • 161708301: This is the end time of the flow, in Unix time.
  • ACCEPT: This is the action taken on the traffic (in this case, it was allowed).
  • OK: This is the reason for the action (in this case, there were no errors).

Understanding Flow Log Limitations

Before turning on VPC Flow Logs on every VPC in your accounts and across your infrastructure, be aware that their use has a few limitations. Some key points to note are as follows:

  • You can’t enable a flow log for a VPC that is peered but not in your account.
  • Once enabled, you cannot change a flow log configuration or record format. You would need to delete the current flow log and recreate a flow log to enable any changes.
  • Delivery of logs to the designated S3 bucket happens in 5-minute intervals.
  • When the packet’s destination is the secondary private IPv4 address, then the primary IPv4 of the instance will appear in the dstaddr field of VPC Flow Logs.

Note

For a complete list of the limitations, you can visit the following URL: https://packt.link/XGTBI

With a fuller understanding of VPC Flow Logs and how to read them, you can now move on to a different network logging capability, VPC Traffic Mirroring.