Investigate network interface using Logs insights

Question

I have enabled flow-log for the network interface. I can see logs for a given network interface in S3, but it is difficult to collect all logs so I query them in logs insights using the query

```
fields @timestamp, interface-id, srcaddr, dstaddr, srcport, dstport, protocol
| filter interface-id = 'eni-123x123'
```
But I am getting null output. Why? Am I writing wrong query?
Note - I have also correctly adjusted the time-frame

Answer

Hello.

If you look at the document below, the query is performed using "interfaceId" instead of "interface-id".  
Will it work if I change "interface-id" to "interfaceId"?  
https://repost.aws/knowledge-center/vpc-flow-logs-and-cloudwatch-logs-insights  
```
fields @timestamp, @message
 | stats count(*) as records by dstPort, srcAddr, dstAddr as Destination
 | filter interfaceId="eni-05012345abcd"
 | filter dstPort="80" or dstPort="443" or dstPort="22" or dstPort="25"
 | sort HitCount desc
 | limit 10
```

Just to be sure, are the logs of the target ENI output to CloudWatch Logs?

Answer

From the top of my head I suggest the following:

- To see if something is wrong with your `filter` statement: comment it out or invert it and then try the query again. If you get results now, there's an issue with your `filter` statement.
    - comment out like for example:

```
        fields @timestamp, interface-id, srcaddr, dstaddr, srcport, dstport, protocol
        # | filter interface-id = 'eni-123x123'
        ```

- or invert like for example:

```
        fields @timestamp, interface-id, srcaddr, dstaddr, srcport, dstport, protocol
        | filter interface-id != 'eni-123x123'
        ```

- With Logs Insights I often forget that the ingestion of logs can take a few minutes. So if your time-frame is very close to "now" some data might be _yet_ missing (compare field `@timestamp` with field `@ingestionTime`).

Investigate network interface using Logs insights

Relevant content