- Más nuevo
- Más votos
- Más comentarios
Hi there,
VPC Flow Logs enable you to capture information about IP traffic going to and from network interfaces in your VPC [1]. I would however like to highlight that flow logs do not capture real-time log streams for your network interfaces, as the log entries are aggregated based on the aggregation interval you select [2].
With this said, kindly refer to the answers below:
Q1: “How do you determine the event order? Did 10.10.10.10 communicate outbound to 99.99.99.99 first? Did 99.99.99.99 communicate inbound to 10.10.10.10. first?”
A1: As mentioned, flow logs do not capture real-time log streams for your network interfaces and as a result, you therefore cannot determine the order of events programmatically. This has to be done during manual review of the flow logs.
Consider the following example scenario: 10 packets were transferred between A and B in a forward direction and 20 packets in the reverse direction, within 1 minute. Depending on the selected aggregation interval, the packets would be aggregated and shown in 2 flows only. As the logs are not packet level, you cannot see the order of flows.
Further, it is also possible that the 20 packets don’t fall within an interval and they could be split in 2 flows with different number of bytes and packets. This means that you can see the above communication in 2, 3 or even 4 flows, if the forward transfer is also split.
With this said, we usually determine the order of flows based on the destination port. Alternatively, you are also able to enrich the logs by adding additional custom fields such as ‘flow-direction', ‘tcp-flags’, ‘traffic-path’, ‘pkt-srcaddr’ and ‘pkt-dstaddr’, that help determine the flow context [3].
Q2: “Is there an offset field used to determine this order?”
A2: There is no offset field used to determine the flow log order.
For more information on the above, kindly refer to the referenced links below.
References: [1] Logging IP traffic using VPC Flow Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html [2] Logging IP traffic using VPC Flow Logs - Aggregation interval - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-aggregration-interval [3] Logging IP traffic using VPC Flow Logs - Available fields - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields
Contenido relevante
- ¿Cómo puedo analizar los registros de flujo de VPC personalizados mediante CloudWatch Logs Insights?OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 7 meses
- OFICIAL DE AWSActualizada hace 2 años