Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use Transit Gateway Flow Logs to identify top talkers on a transit gateway attachment?

3 minute read
0

I want to identify top talkers on a transit gateway attachment, but I don’t know how to check this in my Transit Gateway Flow Logs.

Resolution

Prerequisite: Confirm that you've created transit gateway flow logs.

To identify IP address traffic and find the most active sources and destinations on your transit gateway attachment, complete the following steps.

Identify high traffic periods with CloudWatch metrics

Before you analyze flow logs, check Amazon CloudWatch metrics to identify periods of high traffic.

Note: High traffic periods in CloudWatch metrics help identify when to analyze flow logs for top talkers.

Complete the following steps:

  1. Open the CloudWatch console.
  2. Select your transit gateway's AWS Region.
  3. In the navigation pane, choose Metrics.
  4. In the main window, choose TransitGateway.
  5. Choose Per-TransitGatewayAttachment metrics.
  6. In the search box, enter your transit gateway attachment ID to filter the metrics.
  7. Select BytesIn and BytesOut for your attachment.
  8. Choose the Graphed metrics tab.
  9. For each metric, set the statistic to Maximum and the period to 1 minute.
  10. At the top of the screen, choose the desired time range, such as by hour, or choose Custom to set an absolute value.

To monitor your relevant metrics in one view, create a customized CloudWatch dashboard.

Find your transit gateway attachment's log stream

To analyze traffic for only a specific attachment, instead of all transit gateway logs, complete the following steps:

  1. On the CloudWatch console, expand the Logs group in the navigation pane.
  2. Open Log Groups in a new browser tab.
  3. Select the transit gateway log group.
  4. In the search box, enter your transit gateway attachment ID.
  5. Open the log stream for that specific transit gateway attachment.

Run a query for top talkers

Complete the following steps:

  1. On the CloudWatch console, choose Logs Insights, and then open Logs Insights in a new tab.
  2. Select the transit gateway log group name where you want to run the query.
  3. In the query editor, delete the existing text, and then enter the following query: 
    fields @timestamp, interfaceId, srcAddr, dstAddr, bytes
| sort bytes desc
| limit 10000
| filter tgw-attach-TRANSIT-GATEWAY-ATTACHMENT-ID
    Note: Replace TRANSIT-GATEWAY-ATTACHMENT-ID with your transit gateway attachment ID.
  4. Choose the time range for your search.
    Note: To view specific time periods, adjust the time range on the CloudWatch Logs Insights query page.
  5. Choose Run query.

The query lists results per conversation and arranges bytes from highest to lowest.

To analyze large amounts of data, export your flow logs to Amazon Simple Storage Service (Amazon S3) and use Amazon Athena tables for complex queries.

Review query results

The query shows pairs of source and destination IP address with the highest byte count. To get a written overview of the results, choose Summarize results at the top of the results pane. Then, modify the query to filter by IP addresses, protocols, or other flow log fields.

Related information

AWS Transit Gateway Flow Logs

What is AWS Transit Gateway for Amazon VPC?

Using Amazon CloudWatch dashboards

Topics
Networking & Content Delivery
Tags
AWS Transit Gateway
Language
English
AWS OFFICIALUpdated a month ago
No comments

Relevant content