Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use CloudWatch Logs Insights to query my VPC flow logs?

3 minute read
2

I want to use Amazon CloudWatch Logs Insights queries to process my Amazon Virtual Private Cloud (Amazon VPC) flow logs that are in a log group.

Resolution

For an overview of the syntax that you use, see CloudWatch Logs Insights language query syntax.

Run example queries

Use the CloudWatch console to run a CloudWatch Logs Insights sample query. To run a query that you previously ran, choose History. To export your results, choose Export results, and then choose a format.

Scenario 1

You have a webserver, application server, and database server. You receive a timeout or HTTP 503 error, and you want to determine the cause of the error.

Run a query with the following example variables:

  • Set Action to REJECT so that the query returns only rejected connections.
  • Include only internal networks in the query.
  • The list of server IP addresses shows both inbound (srcAddr) and outbound connections (dstAddr).
  • Set the Limit to 5 so that the query shows only the first five entries.
  • The web server IP address is 10.0.0.4.
  • The app server IP address is 10.0.0.5.
  • The database server IP address is 10.0.0.6.

Example query:

filter(   action="REJECT" and
   dstAddr like /^(10\.|192\.168\.)/ and
   srcAddr like /^(10\.|192\.168\.)/ and
   (srcAddr = "10.0.0.4" or dstAddr = "10.0.0.4" or srcAddr = "10.0.0.5" or dstAddr = "10.0.0.5" or srcAddr = "10.0.0.6" or dstAddr = "10.0.0.6")
)
| stats count(*) as records by srcAddr,dstAddr,dstPort,protocol 
| sort records desc 
| limit 5

Scenario 2

You experience intermittent timeouts on an elastic network interface. To check for rejects on the network interface over a period of time, run the following query:

fields @timestamp, interfaceId, srcAddr, dstAddr, action| filter (interfaceId = 'eni-05012345abcd' and action = 'REJECT')
| sort @timestamp desc
| limit 5

Scenario 3

To produce a report on a specific network interface, run the following query:

fields @timestamp, @message | stats count(*) as records by dstPort, srcAddr, dstAddr as Destination
 | filter interfaceId="eni-05012345abcd"
 | filter dstPort="80" or dstPort="443" or dstPort="22" or dstPort="25"
 | sort HitCount desc
 | limit 10

The preceding query checks the amount of traffic that's sent to different ports.

Scenario 4

To list IP addresses that try to connect to a specific IP address, run the following query:

fields @timestamp, srcAddr, dstAddr | sort @timestamp desc
 | limit 5
 | filter srcAddr like "172.31."

To list IP addresses that try to connect to a specific CIDR, run the following query:

fields @timestamp, srcAddr, dstAddr | sort @timestamp desc
 | limit 5
 | filter isIpv4InSubnet(srcAddr,"172.31.0.0/16")

For more example queries, see Queries for Amazon VPC flow logs.

Related information

Analyzing log data with CloudWatch Logs Insights

Supported logs and discovered fields

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English

Related videos

Watch Aasish's video to learn more (4:45)
Watch Aasish's video to learn more (4:45)
AWS OFFICIALUpdated 4 months ago
No comments

Relevant content