VPC Flow

Preparation

Before creating VPC flow logs for ingestion by AE, an AWS S3 bucket for CloudTrail event storage and a SQS Queue must be designated and/or created. Please refer to Collecting data: Amazon S3 before continuing further.

VPC Flow Logs

Now is the time to create the VPC flow log. Navigate to a VPC of interest, then to Flow logs and Create flow log.

Give the flow log a name, set Destionation to Send to an Amazon S3 bucket and input the ARN of the appropriate bucket you designated and/or created.

For Log record format select Custom format and use:

${account-id} ${action} ${bytes} ${dstaddr} ${dstport} ${end} ${instance-id} ${packets} ${pkt-dstaddr} ${pkt-srcaddr} ${protocol} ${region} ${srcaddr} ${srcport} ${start} ${tcp-flags} ${version} ${vpc-id}

vpc-create-flow-log

Click Create flow log. VPC flow logs should now start flowing into AE.

Preparation​

VPC Flow Logs​

Preparation

VPC Flow Logs