1 Answer
- Newest
- Most votes
- Most comments
0
Hi,
One way to achieve what your want is to publish the VPC flow logs to CloudWatch logs and then use the regular CloudWatch alarms + SNS mechanisms on those CloudWatch logs to filter the events that you want.
See:
- https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html for publication to CloudWatch
- https://blog.serverlessadvocate.com/monitoring-aws-cloudwatch-logs-with-cdk-creating-alarms-for-specific-error-conditions-bae0c4e36f79 for an example done via CDK
Best,
Didier
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, Thanks for the reply, i need possible metric filter pattern to match my condition, can you please help me with that?
Sure, can you provide a sample of a VPC message published to CloudWatch containing the address(es) to filter? We'll build then the pattern to filter it.
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
Ok. So, based on this syntax, you have to create a regex filtering the ip addresses as 4th and 5th field of the log message. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/FilterAndPatternSyntax.html. Then, with this metric, you raise a CW alarm as soon as metric is non-zero and you route this alarm to SNS where you create a corresponding topic alerting the proper addresses via email.