AWS VPC Flow Logs (10201 / 20201)

Description

This Module reports Amazon VPC Flow Logs ingested from Kinesis or CloudWatch translating them one-to-one in syslog or JSON formats, and enriching them with AWS data not reported in VPC Flow Logs natively.

Parameters

Parameter Name
Description
Comments
EC2 Instances
EC2 instances with IPs and VPC names
Provided by EDF agent
VPC IPv4 Routes
AWS VPC IPv4 routes
Provided by EDF agent
VPC IPv6 Routes
AWS VPC IPv6 routes
Provided by EDF agent
AWS IPv4 Ranges
IPv4 ranges, AWS name, Region
Provided by EDF agent
AWS IPv6 Ranges
IPv6 ranges, AWS name, Region
Provided by EDF agent

Input

Amazon AWS Flow Logs ingested from CloudWatch or Kinesis stream or S3.

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20201”
exp_ip
NetFlow exporter Ipv4 address
<IPv4 address> (added for compatibility with other flows)
[vpc_id]
VPC identifier
<string>
[vpc_name]
VPC name
<string>
interface_id
Interface ID
<string>
account_id
Account ID
<string>
protocol
Transport Protocol ( TCP = 6, UDP = 17)
<number>
src_ip
Source EC2 instance IPv4 address
<IPv4 address>
[src_ip6]
Source EC2 instance Ipv6 address
<IPv6 address>
[src_host]
Source host name
<string>, included when FQDN is on
[src_ip_pub]
Source EC2 instance public IPv4 address
<IPv4 address>
[src_inst_id]
Source EC2 instance id
<string>, e.g i-390d7032 or i-0c0a6ac75d9d87b7e
[src_inst_name]
Source EC2 instance name
<string>
src_region
AWS Source Avaiability Zone (Region)
<string>
src_port
Source EC2 instance port number
<number>
dest_ip
Destination EC2 instance IPv4 address
<IPv4 address>
[dest_ip6]
Destination EC2 instance IPv6 address
<IPv6 address>
[dest_host]
Destination host name
<string>, included when FQDN is on
[dest_ip_pub]
Destination EC2 instance public IPv4 address
<IPv4 address>
[dest_inst_id]
Destination EC2 instance id
<string>
[dest_inst_name]
Destination EC2 instance name
<string>
dest_port
Destination EC2 instance port number
<number>
tcp_flag
TCP Flags
<string>, e.g. “SYN,ACK,FIN”
packets_in
Packets in the flow
<number>
bytes_in
Total number of Layer 3 bytes in the packets of the flow received
<number>
vpcflow_action
VPC Flow Action
<string>, “ACCEPTED” / ”REJECTED”
vpcflow_type
VPC Flow Type
<string>
subnet_id
Subnet ID
<string>
flow_start_time
Start time of the flow
<time>
flow_end_time
End of the flow
<time>
Last modified 2mo ago