AWS VPC Flow Logs (10201 / 20201)
Description
This Module reports Amazon VPC Flow Logs ingested from Kinesis or CloudWatch translating them one-to-one in syslog or JSON formats, and enriching them with AWS data not reported in VPC Flow Logs natively.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| EC2 Instances | EC2 instances with IPs and VPC names | Provided by EDF agent |
| VPC IPv4 Routes | AWS VPC IPv4 routes | Provided by EDF agent |
| VPC IPv6 Routes | AWS VPC IPv6 routes | Provided by EDF agent |
| AWS IPv4 Ranges | IPv4 ranges, AWS name, Region | Provided by EDF agent |
| AWS IPv6 Ranges | IPv6 ranges, AWS name, Region | Provided by EDF agent |
Input
Amazon AWS Flow Logs ingested from CloudWatch or Kinesis stream or S3.
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20201” |
| exp_ip | NetFlow exporter Ipv4 address | <IPv4 address> (added for compatibility with other flows) |
| [vpc_id] | VPC identifier | <string> |
| [vpc_name] | VPC name | <string> |
| interface_id | Interface ID | <string> |
| account_id | Account ID | <string> |
| protocol | Transport Protocol ( TCP = 6, UDP = 17) | <number> |
| src_ip | Source EC2 instance IPv4 address | <IPv4 address> |
| [src_ip6] | Source EC2 instance Ipv6 address | <IPv6 address> |
| [src_host] | Source host name | <string>, included when FQDN is on |
| [src_ip_pub] | Source EC2 instance public IPv4 address | <IPv4 address> |
| [src_inst_id] | Source EC2 instance id | <string>, e.g i-390d7032 or i-0c0a6ac75d9d87b7e |
| [src_inst_name] | Source EC2 instance name | <string> |
| src_region | AWS Source Avaiability Zone (Region) | <string> |
| src_port | Source EC2 instance port number | <number> |
| dest_ip | Destination EC2 instance IPv4 address | <IPv4 address> |
| [dest_ip6] | Destination EC2 instance IPv6 address | <IPv6 address> |
| [dest_host] | Destination host name | <string>, included when FQDN is on |
| [dest_ip_pub] | Destination EC2 instance public IPv4 address | <IPv4 address> |
| [dest_inst_id] | Destination EC2 instance id | <string> |
| [dest_inst_name] | Destination EC2 instance name | <string> |
| dest_port | Destination EC2 instance port number | <number> |
| tcp_flag | TCP Flags | <string>, e.g. “SYN,ACK,FIN” |
| packets_in | Packets in the flow | <number> |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received | <number> |
| vpcflow_action | VPC Flow Action | <string>, “ACCEPTED” / ”REJECTED” |
| vpcflow_type | VPC Flow Type | <string> |
| subnet_id | Subnet ID | <string> |
| flow_start_time | Start time of the flow | <time> |
| flow_end_time | End of the flow | <time> |