如何利用 CloudWatch Logs Insights 來分析自訂 VPC 流程記錄?

5 分的閱讀內容
0

我已設定自訂 VPC 流程記錄。如何利用 Amazon CloudWatch Logs Insights 來探索模式及趨勢?

簡短描述

您可利用 CloudWatch Logs Insights 來分析 VPC 流程記錄。CloudWatch Logs Insights 會自動在許多 Amazon 提供的記錄探索欄位以及 JSON 格式的日誌事件,以便輕鬆建構查詢及記錄探索。CloudWatch Logs Insights 會自動探索採用預設格式的 VPC 流程記錄。

然而,VPC 流程記錄是以自訂格式部署。基於這個原因,不會自動探索,您必須修改查詢。本文提供了幾個查詢範例,您可自訂及擴充來符合您的使用案例。

利用以下自訂 VPC 流程記錄格式:

${account-id} ${vpc-id} ${subnet-id} ${interface-id} ${instance-id} ${srcaddr} ${srcport} ${dstaddr} ${dstport} ${protocol} ${packets} ${bytes} ${action} ${log-status} ${start} ${end} ${flow-direction} ${traffic-path} ${tcp-flags} ${pkt-srcaddr} ${pkt-src-aws-service} ${pkt-dstaddr} ${pkt-dst-aws-service} ${region} ${az-id} ${sublocation-type} ${sublocation-id}

解決方式

擷取最新 VPC 流程記錄

由於 CloudWatch Logs Insights 不會自動探索記錄欄位,因此必須利用解析關鍵字來隔離所需欄位。在此查詢中,結果依照流程日誌事件開始時間排序,並限於兩則最新的記錄項目。

查詢

#Retrieve latest custom VPC Flow Logs
parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| sort start desc
| limit 2

結果

account_id vpc_id  subnet_id interface_idinstance_idsrcaddrsrcport
123456789012 vpc-0b69ce8d04278ddd subnet-002bdfe1767d0ddb0eni-0435cbb62960f230e172.31.0.10455125
123456789012 vpc-0b69ce8d04278ddd1 subnet-002bdfe1767d0ddb0eni-0435cbb62960f230e91.240.118.8149422

依照來源/目標 IP 位址彙總資料傳輸

接下來,依照來源/目的地 IP 位址彙總網路流量。在此範例中,利用總和統計數字彙總位元欄位。這會計算主機之間傳輸的資料的累積總數。為了取得更多內容,因此納入了 flow_direction。然後,把彙總的結果臨時指派到 Data_Transferred 欄位。然後,依照 Data_Testorage 由大到小對結果進行排序,同時返回兩組最大的資料對。

查詢

parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| stats sum(bytes) as Data_Transferred by srcaddr, dstaddr, flow_direction
| sort by Data_Transferred desc
| limit 2

結果

srcaddrdstaddrflow_directionData_Transferred
172.31.1.2473,230,172,154egress346952038
172.31.0.463,230,172,154egress343799447

依照 EC2 執行個體 ID 來分析資料傳輸

您可利用自訂 VPC 流程記錄直接分析Amazon Elastic Compute Cloud (Amazon EC2) 執行個體 ID。透過上述查詢,您現在可利用 instance_id 欄位確定最活躍的 EC2 執行個體。

查詢

parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| stats sum(bytes) as Data_Transferred by instance_id
| sort by Data_Transferred desc
| limit 5

結果

instance_idData_Transferred
-1443477306
i-03205758c9203c979517558754
i-0ae33894105aa500c324629414
i-01506ab9e9e90749d198063232
i-0724007fef3cb06f354847643

篩選遭拒的 SSH 流量

為了更瞭解遭到安全群組及網路存取控制清單 (ACL) 拒絕的流量,請篩選遭拒的 VPC 流程記錄。您可進一步縮小此篩選範圍,納入通訊協定和目標連接埠。要識別 SSH 通訊遭拒的主機,請擴大篩選條件納入 TCP 通訊協定 (例如,通訊協定 6) 和目標連接埠為 22 的通訊。

查詢

parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| filter action = "REJECT" and protocol = 6 and dstport = 22
| stats sum(bytes) as SSH_Traffic_Volume by srcaddr
| sort by SSH_Traffic_Volume desc
| limit 2

結果

srcaddrSSH_Traffic_Volume
23.95.222.129160
179.43.167.7480

隔離特定來源/目標對的 HTTP 資料串流

要利用 CloudWatch Logs Insights 進一步調查資料趨勢,請隔離兩個 IP 位址間的雙向流量。在此查詢中,["172.31.1.247","172.31.11.212"] 返回利用 IP 位址作為來源 IP 位址或目標 IP 位址的流程記錄。要隔離 HTTP 流量,篩選條件的敘述會找出符合通訊協定 6 (TCP) 與連接埠 80 的 VPC 流程日誌事件。利用 display 關鍵字返回所有可用欄位的子集。

查詢

#HTTP Data Stream for Specific Source/Destination Pair
parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| filter srcaddr in ["172.31.1.247","172.31.11.212"] and dstaddr in ["172.31.1.247","172.31.11.212"] and protocol = 6 and (dstport = 80 or srcport=80)
| display interface_id,srcaddr, srcport, dstaddr, dstport, protocol, bytes, action, log_status, start, end, flow_direction, tcp_flags
| sort by start desc
| limit 2

結果

interface_idsrcaddrsrcportdstaddrdstport通訊協定位元組動作log_status
eni-0b74120275654905e172.31.11.21280172.31.1.2472937665160876接受確定
eni-0b74120275654905e172.31.1.24729376172.31.11.21280697380接受確定

隔離特定來源/目標對的 HTTP 資料串流

您可利用 CloudWatch Logs Insights 以長條圖或餅狀圖形式來顯示結果。如結果包含 bin() 函數,則返回包含時間戳記的查詢結果。然後,可利用折線圖或堆疊面積圖顯示此時間序列

在上述查詢基礎之上,您可利用 stats sum(bytes) as Data_Trasferred by bin(1m) 計算在一分鐘間隔內傳輸的累積資料。要檢視此視覺化結果,請在 CloudWatch Logs Insights 主控台中的記錄視覺化表格之間進行切換。

查詢

parse @message "* * * * * * * * * * * * * * * * * * * * * * * * * * *" as account_id, vpc_id, subnet_id, interface_id,instance_id, srcaddr, srcport, dstaddr, dstport, protocol, packets, bytes, action, log_status, start, end, flow_direction, traffic_path, tcp_flags, pkt_srcaddr, pkt_src_aws_service, pkt_dstaddr, pkt_dst_aws_service, region, az_id, sublocation_type, sublocation_id
| filter srcaddr in ["172.31.1.247","172.31.11.212"] and dstaddr in ["172.31.1.247","172.31.11.212"] and protocol = 6 and (dstport = 80 or srcport=80)
| stats sum(bytes) as Data_Transferred by bin(1m)

結果

bin(1m)Data_Transferred
2022-04-01 15:23:00.00017225787
2022-04-01 15:21:00.00017724499
2022-04-01 15:20:00.0001125500
2022-04-01 15:19:00.000101525
2022-04-01 15:18:00.00081376

相關資訊

支援的日誌和探索的欄位

使用 CloudWatch Logs Insights 分析日誌資料

CloudWatch Logs Insights 查詢命令

教學課程:執行產生視覺化時間序列的查詢

AWS 官方
AWS 官方已更新 2 年前