Skip to main content
Version: Next

AWS VPC Flow Logs (10201 / 20201)

Description

This Module reports Amazon VPC Flow Logs ingested from Kinesis or CloudWatch translating them one-to-one in syslog or JSON formats, and enriching them with AWS data not reported in VPC Flow Logs natively.

Parameters

Parameter NameDescriptionComments
EC2 InstancesEC2 instances with IPs and VPC namesProvided by EDF agent
VPC IPv4 RoutesAWS VPC IPv4 routesProvided by EDF agent
VPC IPv6 RoutesAWS VPC IPv6 routesProvided by EDF agent
AWS IPv4 RangesIPv4 ranges, AWS name, RegionProvided by EDF agent
AWS IPv6 RangesIPv6 ranges, AWS name, RegionProvided by EDF agent

Input

Amazon AWS Flow Logs ingested from CloudWatch or Kinesis stream or S3.

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier“nfc_id=20201”
exp_ipNetFlow exporter Ipv4 address<IPv4 address> (added for compatibility with other flows)
[vpc_id]VPC identifier<string>
[vpc_name]VPC name<string>
interface_idInterface ID<string>
account_idAccount ID<string>
protocolTransport Protocol ( TCP = 6, UDP = 17)<number>
src_ipSource EC2 instance IPv4 address<IPv4 address>
[src_ip6]Source EC2 instance Ipv6 address<IPv6 address>
[src_host]Source host name<string>, included when FQDN is on
[src_ip_pub]Source EC2 instance public IPv4 address<IPv4 address>
[src_inst_id]Source EC2 instance id<string>, e.g i-390d7032 or i-0c0a6ac75d9d87b7e
[src_inst_name]Source EC2 instance name<string>
src_regionAWS Source Avaiability Zone (Region)<string>
src_portSource EC2 instance port number<number>
dest_ipDestination EC2 instance IPv4 address<IPv4 address>
[dest_ip6]Destination EC2 instance IPv6 address<IPv6 address>
[dest_host]Destination host name<string>, included when FQDN is on
[dest_ip_pub]Destination EC2 instance public IPv4 address<IPv4 address>
[dest_inst_id]Destination EC2 instance id<string>
[dest_inst_name]Destination EC2 instance name<string>
dest_portDestination EC2 instance port number<number>
tcp_flagTCP Flags<string>, e.g. “SYN,ACK,FIN”
packets_inPackets in the flow<number>
bytes_inTotal number of Layer 3 bytes in the packets of the flow received<number>
vpcflow_actionVPC Flow Action<string>, “ACCEPTED” / ”REJECTED”
vpcflow_typeVPC Flow Type<string>
subnet_idSubnet ID<string>
flow_start_timeStart time of the flow<time>
flow_end_timeEnd of the flow<time>