CloudWatch (VPC Flow Logs)

Amazon Web Services (AWS) CloudWatch is a monitoring and observability service for use with AWS services. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events. CloudWatch can be used to detect anomalous behavior, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep applications running smoothly.

AWS VPC Flow Logs is a feature to capture information about the IP traffic going to and from network interfaces in a VPC.

App Function

This app parses AWS VPC Flow logs received via AWS CloudWatch and creates user tags corresponding to many of the data elements present in each log message.

Vendor Documentation

Incoming Log Format

VPC Flow Logs are received from Amazon CloudWatch by means of a CloudWatch web hook. CloudWatch conveys the log messages to LogZilla by sending them to LogZilla's HTTP port as JSON messages. LogZilla then parses the CloudWatch log format and extracts the specific flow log information.

The flow log information is a fixed-order sequence of space-separated data elements. There are no field keys or names, the meaning must be derived from the data ordering.

Parsed Metadata Fields

The data elements (fields) within each log message may vary depending on the type of event being logged. Some of the fields parsed from the VPC Flow log messages are as follows:

Field Name	Tagged?
`account-id`	☑
`action`	☑
`az-id`	☑
`bytes`
`dstaddr`	☑
`dstport`	☑
`end`
`flow-direction`	☑
`instance-id`	☑
`interface-id`	☑
`log-status`	☑
`packets`
`pkt-dstaddr`
`pkt-dst-aws-service`
`pkt-srcaddr`
`pkt-src-aws-service`
`protocol`	☑
`region`	☑
`srcaddr`	☑
`srcport`	☑
`start`
`sublocation-id`
`sublocation-type`
`subnet-id`
`tcp-flags`	☑
`traffic-path`	☑
`type`	☑
`version`	☑
`vpc-id`	☑

Log Examples

Incoming SSH Connection Accepted (format 1)

2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21
20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK

Incoming SSH Connection Accepted (format 2)

123456789010 ACCEPT apse2-az3 4249 172.31.16.21 22 1418530070
ingress eni-1235b8ca123456789 eni-0c0d52089ed3b20ba OK 20 -
4.3.2.1 - 1.2.3.4 6 us-east-1 172.31.16.139 20641 1418530010 - -
subnet-vf0-88683c 18 8 IPv4 5 vpc-12345