Overview

Use the Flow logs feature to capture data that is related to IPv4 and IPv6 network traffic flows. Flow logs can be enabled for each network interface of a Virtual Machine (VM) instance, as well as the public interfaces of the Managed Network Load Balancer (NLB) and Managed Network Address Translation (NAT) Gateway.

Flow logs can help you with several tasks such as:

  • Debugging connectivity and security issues

  • Monitoring network throughput and performance

  • Logging data to ensure that firewall rules are working as expected

Flow logs are stored in a customer IONOS S3 Object Storage bucket, which you configure when you create a flow log collector.

Network traffic flows

A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.

A flow consists of the following network information:

  • Source IP address

  • Destination IP address

  • Source port

  • Destination port

  • Internet protocol

  • Number of packets

  • Bytes

  • Capture start time

  • Capture end time

Core concepts

  • Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.

  • Flow log records are written to flow logs, which are then stored in a user-defined IONOS S3 Object Storage bucket from where they can be accessed.

  • You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.

  • Traffic flows in your network are captured based on the defined rules.

  • Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.

Note: No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to the IONOS S3 Object Storage.

  • The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz. Example: flowlogs/webserver01-1629810635.log.gz.

  • Flow logs are retained in the IONOS S3 Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS S3 Object Storage. For more information, see Delete objects.

  • The IONOS S3 Object Storage owner of the object is an IONOS internal technical user named flowlogs@cloud.ionos.com with Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf.

Warning: It is advisable to never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.

Limitations

This section lists the limitations of Flow logs:

  • You cannot change the configuration of a flow log or the flow log record format after it has been created. In the flow log record, you cannot add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.

  • There is a limit of one flow log created per NIC, Managed NAT Gateway, and Managed Network Load Balancer.

Last updated