- Newest
- Most votes
- Most comments
Look at the documentation here:
IncomingBytes - The volume of log events in uncompressed bytes uploaded to CloudWatch Logs. When used with the LogGroupName dimension, this is the volume of log events in uncompressed bytes uploaded to the log group.
It means that this metric represent the number of bytes that the flow logs themselves consume (not an aggregation of the incoming bytes of the flows within the flow logs). It's the size of the flow log text.
for example if your flow logs contains just a single line:
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
the IncomingBytes will be 115 because the text contains 115 characters
echo "2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK" | wc -c
115
(and not 4249
which is the Bytes went over that flow)
Hello.
Looking at the document below, I think the calculation is based on the amount of data sent and received between the customer gateway and AWS.
https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html
Therefore, I thought that if I could obtain a packet capture on the customer gateway side, I would be able to see what kind of traffic was being sent to AWS.
Thanks. Unfortunately, I'm unable to get the log from the customer gateway side. Here's the CloudWatch Insight query that I'm using to figure out the ip addresses that contribute the most to the surge. Does it make sense? fields @timestamp, @message | parse @message '* * * * * * * * * * * * * *' as ver, account, interface, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log_status | filter @message like "<replaced with customer gateway ip address>" | stats sum(bytes) as totalBytes by srcaddr, dstaddr | sort totalBytes desc | limit 200
Relevant content
- asked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 13 days ago
I see. So they're not comparable. Thanks!