You can search your flow log records that are published to CloudWatch Logs using the CloudWatch Logs console. You can use metric filters to filter flow log records. Flow log records are space delimited.
To search flow log records using the CloudWatch Logs console
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Logs, Log groups.
-
Select the log group that contains your flow log, and then select the log stream, if you know the network interface that you are searching for. Alternatively, choose Search log group. This might take some time if there are many network interfaces in your log group, or depending on the time range that you select.
-
Under Filter events, enter the string below. This assumes that the flow log record uses the default format.
[version, accountid, interfaceid, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, logstatus] -
Modify the filter as needed by specifying values for the fields. The following examples filter by specific source IP addresses.
[version, accountid, interfaceid, srcaddr = 10.0.0.1, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, logstatus] [version, accountid, interfaceid, srcaddr = 10.0.2.*, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, logstatus]The following examples filter by destination port, the number of bytes, and whether the traffic was rejected.
[version, accountid, interfaceid, srcaddr, dstaddr, srcport, dstport = 80 || dstport = 8080, protocol, packets, bytes, start, end, action, logstatus] [version, accountid, interfaceid, srcaddr, dstaddr, srcport, dstport = 80 || dstport = 8080, protocol, packets, bytes >= 400, start, end, action = REJECT, logstatus]
