Define pattern for log groups in cloudwatch
- Create filter pattern
- filter pattern: [action, azid, bytes, dstaddr,dstport,instanceid,protocol,srcaddr,srcport,subnetid]
- Metric namespaces
- Name for metric namespace
- Metric name: bytes
- Metric value: $bytes
- Unit: Bytes
- Dimensions:
- Dimension Name: dst-addr, Dimension Value: $dstaddr
Determine NAT gateway logs
1# if network interface format is:
2# ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
3fields @timestamp
4| parse @message "* * * * * * * * * *" as action, azid, bytes, dstaddr,dstport,instanceid,protocol,srcaddr,srcport,subnetid
5| stats sum(bytes) as bytesTransferred by srcaddr, dstaddr
6| sort bytesTransferred desc
VPC transit gateway flow logs
- Create filter pattern
[version, resource_type, account_id,tgw_id, tgw_attachment_id, tgw_src_vpc_account_id, tgw_dst_vpc_account_id, tgw_src_vpc_id, tgw_dst_vpc_id, tgw_src_subnet_id, tgw_dst_subnet_id, tgw_src_eni, tgw_dst_eni, tgw_src_az_id, tgw_dst_az_id, tgw_pair_attachment_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes,start,end, log_status, type,packets_lost_no_route, packets_lost_blackhole, packets_lost_mtu_exceeded, packets_lost_ttl_expired, tcp_flags,region, flow_direction, pkt_src_aws_service, pkt_dst_aws_service]
- Metric namespaces
- Name for metric namespace
- Metric name: bytes
- Metric value: $bytes
- Unit: Bytes
- Dimensions:
- Dimension Name: account_id, Dimension Value: $account_id
Determine VPC transit gateway logs
1fields @timestamp
2 | parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" as version, resource_type, account_id,tgw_id, tgw_attachment_id, tgw_src_vpc_account_id, tgw_dst_vpc_account_id, tgw_src_vpc_id, tgw_dst_vpc_id, tgw_src_subnet_id, tgw_dst_subnet_id, tgw_src_eni, tgw_dst_eni, tgw_src_az_id, tgw_dst_az_id, tgw_pair_attachment_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes,start,end, log_status, type,packets_lost_no_route, packets_lost_blackhole, packets_lost_mtu_exceeded, packets_lost_ttl_expired, tcp_flags,region, flow_direction, pkt_src_aws_service, pkt_dst_aws_service
3| sort bytes desc