By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

VPC Flow Logs - How to determine event order with duplicate timestamps?

1

How do you determine the event order in a VPC Flow log? I am consistently receiving two VPC Flow log entries where both the date timestamp and Unix time packet timestamps are the same. This occurs in both the CloudWatch console and the analytic tools we use. In the context of creating security detections for a SIEM, this order of events is important.

Here is an example of two events with matching timestamps: 2023-04-15T08:12:47.000Z 2 710750178041 eni-01947802984080808 10.10.10.10 99.99.99.99 60935 4100 6 2 80 1681546367 1681546374 ACCEPT OK eni-01947802984080808-all

2023-04-15T08:12:47.000Z 2 710750178041 eni-01947802984080808 99.99.99.99 10.10.10.10 4100 60935 6 2 80 1681546367 1681546374 ACCEPT OK eni-01947802984080808-all

Referring to the example:

  1. How do you determine the event order? Did 10.10.10.10 communicate outbound to 99.99.99.99 first? Did 99.99.99.99 communicate inbound to 10.10.10.10. first?
  2. Is there an offset field used to determine this order?
Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliverySecurityVPC Flow Logs
Language
English
rePost-User-0280894
asked a year ago559 views
1 Answer
2

Hi there,

VPC Flow Logs enable you to capture information about IP traffic going to and from network interfaces in your VPC [1]. I would however like to highlight that flow logs do not capture real-time log streams for your network interfaces, as the log entries are aggregated based on the aggregation interval you select [2].

With this said, kindly refer to the answers below:

Q1: “How do you determine the event order? Did 10.10.10.10 communicate outbound to 99.99.99.99 first? Did 99.99.99.99 communicate inbound to 10.10.10.10. first?”

A1: As mentioned, flow logs do not capture real-time log streams for your network interfaces and as a result, you therefore cannot determine the order of events programmatically. This has to be done during manual review of the flow logs.

Consider the following example scenario: 10 packets were transferred between A and B in a forward direction and 20 packets in the reverse direction, within 1 minute. Depending on the selected aggregation interval, the packets would be aggregated and shown in 2 flows only. As the logs are not packet level, you cannot see the order of flows.

Further, it is also possible that the 20 packets don’t fall within an interval and they could be split in 2 flows with different number of bytes and packets. This means that you can see the above communication in 2, 3 or even 4 flows, if the forward transfer is also split.

With this said, we usually determine the order of flows based on the destination port. Alternatively, you are also able to enrich the logs by adding additional custom fields such as ‘flow-direction', ‘tcp-flags’, ‘traffic-path’, ‘pkt-srcaddr’ and ‘pkt-dstaddr’, that help determine the flow context [3].

Q2: “Is there an offset field used to determine this order?”

A2: There is no offset field used to determine the flow log order.

For more information on the above, kindly refer to the referenced links below.

References: [1] Logging IP traffic using VPC Flow Logs - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html [2] Logging IP traffic using VPC Flow Logs - Aggregation interval - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-aggregration-interval [3] Logging IP traffic using VPC Flow Logs - Available fields - https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-logs-fields

AWS
rePost-User-0230995
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content