Create a flow log that publishes to Amazon Data Firehose
You can create flow logs for your VPCs, subnets, or network interfaces.
Prerequisites
-
Create the destination Amazon Data Firehose delivery stream. Use Direct Put as the source. For more information, see Creating an Amazon Data Firehose delivery stream.
-
If you're publishing flow logs to a different account, create the required IAM roles, as described in IAM roles for cross account delivery.
To create a flow log that publishes to Amazon Data Firehose
-
Do one of the following:
-
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. In the navigation pane, choose Network Interfaces. Select the checkbox for the network interface. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Your VPCs. Select the checkbox for the VPC. -
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. In the navigation pane, choose Subnets. Select the checkbox for the subnet.
-
-
Choose Actions, Create flow log.
-
For Filter, specify the type of traffic to log.
-
Accept – Log only accepted traffic
-
Reject – Log only rejected traffic
-
All – Log accepted and rejected traffic
-
-
For Maximum aggregation interval, choose the maximum period of time during which a flow is captured and aggregated into one flow log record.
-
For Destination, choose either of the following options:
-
Send to Amazon Data Firehose in the same account – The delivery stream and the resource to monitor are in the same account.
-
Send to Amazon Data Firehose in a different account – The delivery stream and the resource to monitor are in different accounts.
-
-
For Amazon Data Firehose stream name, choose the delivery stream that you created.
-
[Cross account delivery only] For IAM roles, specify the required roles (see IAM roles for cross account delivery).
-
For Log record format, specify the format for the flow log record.
-
To use the default flow log record format, choose AWS default format.
-
To create a custom format, choose Custom format. For Log format, choose the fields to include in the flow log record.
-
-
For Additional metadata, select if you want to include metadata from Amazon ECS in the log format.
-
(Optional) Choose Add tag to apply tags to the flow log.
-
Choose Create flow log.
To create a flow log that publishes to Amazon Data Firehose using the command line
Use one of the following commands:
-
create-flow-logs
(AWS CLI) -
New-EC2FlowLog (AWS Tools for Windows PowerShell)
The following AWS CLI example creates a flow log that captures all traffic for the specified VPC and delivers the flow logs to the specified Amazon Data Firehose delivery stream in the same account.
aws ec2 create-flow-logs --traffic-type ALL \ --resource-typeVPC\ --resource-idsvpc-00112233344556677\ --log-destination-typekinesis-data-firehose\ --log-destination arn:aws:firehose:us-east-1:123456789012:deliverystream/flowlogs_stream
The following AWS CLI example creates a flow log that captures all traffic for the specified VPC and delivers the flow logs to the specified Amazon Data Firehose delivery stream in a different account.
aws ec2 create-flow-logs --traffic-type ALL \ --resource-typeVPC\ --resource-idsvpc-00112233344556677\ --log-destination-typekinesis-data-firehose\ --log-destination arn:aws:firehose:us-east-1:123456789012:deliverystream/flowlogs_stream\ --deliver-logs-permission-arn arn:aws:iam::source-account:role/mySourceRole\ --deliver-cross-account-role arn:aws:iam::destination-account:role/AWSLogDeliveryFirehoseCrossAccountRole
As a result of creating the flow log, you can get the flow log data from the destination that you configured for the delivery stream.
