AWS vpc flow logs insight

Define pattern for log groups in cloudwatch

  • Create filter pattern
    • filter pattern: [action, azid, bytes, dstaddr,dstport,instanceid,protocol,srcaddr,srcport,subnetid]
  • Metric namespaces
    • Name for metric namespace
    • Metric name: bytes
    • Metric value: $bytes
    • Unit: Bytes
  • Dimensions:
    • Dimension Name: dst-addr, Dimension Value: $dstaddr

Determine NAT gateway logs

1# if network interface format is: 
2# ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
3fields @timestamp
4| parse @message "* * * * * * * * * *" as  action, azid, bytes, dstaddr,dstport,instanceid,protocol,srcaddr,srcport,subnetid
5| stats sum(bytes) as bytesTransferred by srcaddr, dstaddr
6| sort bytesTransferred desc

VPC transit gateway flow logs

  • Create filter pattern [version, resource_type, account_id,tgw_id, tgw_attachment_id, tgw_src_vpc_account_id, tgw_dst_vpc_account_id, tgw_src_vpc_id, tgw_dst_vpc_id, tgw_src_subnet_id, tgw_dst_subnet_id, tgw_src_eni, tgw_dst_eni, tgw_src_az_id, tgw_dst_az_id, tgw_pair_attachment_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes,start,end, log_status, type,packets_lost_no_route, packets_lost_blackhole, packets_lost_mtu_exceeded, packets_lost_ttl_expired, tcp_flags,region, flow_direction, pkt_src_aws_service, pkt_dst_aws_service]
  • Metric namespaces
    • Name for metric namespace
    • Metric name: bytes
    • Metric value: $bytes
    • Unit: Bytes
  • Dimensions:
    • Dimension Name: account_id, Dimension Value: $account_id

Determine VPC transit gateway logs

1fields @timestamp
2 | parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *" as version, resource_type, account_id,tgw_id, tgw_attachment_id, tgw_src_vpc_account_id, tgw_dst_vpc_account_id, tgw_src_vpc_id, tgw_dst_vpc_id, tgw_src_subnet_id, tgw_dst_subnet_id, tgw_src_eni, tgw_dst_eni, tgw_src_az_id, tgw_dst_az_id, tgw_pair_attachment_id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes,start,end, log_status, type,packets_lost_no_route, packets_lost_blackhole, packets_lost_mtu_exceeded, packets_lost_ttl_expired, tcp_flags,region, flow_direction, pkt_src_aws_service, pkt_dst_aws_service
3| sort bytes desc