Configure Flow Logs

The information and assistance available in this category make it easier for you to work with flow logs using the Data Center Designer (DCD). For the time being, you have the option of doing either of the following.

Creating a flow log

You can create flow logs for your network interfaces as well as the public interfaces of the Network Load Balancer and Network Address Translation (NAT) Gateway. Flow logs can publish data to your buckets in the IONOS S3 Object Storage.

After you have created and configured your bucket in the IONOS S3 Object Storage, you can create flow logs for your network interfaces.

Prerequisites

Before you create a flow log, make sure that you meet the following prerequisites:

Procedure

Select the appropriate tab for the instance or interface for which you want to activate flow logs in the workspace.

  1. In the Inspector pane, open the Network tab.

  2. Open the properties of the Network Interface Controller (NIC).

Accessing flow logs

Activate flow logs

Configure flow logs

Open the Flow Log drop-down and fill in the following fields:

  1. For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.

  2. For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.

  3. For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.

  4. For Target S3 bucket, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.

  5. Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.

  • Characters / (slash) and %2F are not supported as object prefix characters.

  • You cannot edit/modify changes to the fields of a flow log rule after activating it.

  • There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer (NLB).

Result: An activated flow log rule is visualized by a green light on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.

valid flow log rule

A summary of the flow logs rule can be seen by opening the drop-down of the flow log and selecting the name of the flow log rule.

flow log summary

At this point, you may make further changes to your data center (optional).

When ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.

Flow logs can be provisioned on both new and previously provisioned instances.

Deleting a flow log

Prerequisites

Before you delete a flow log, make sure that you meet the following prerequisites:

Procedure

  1. Select the relevant VM of the interface for which you want to delete the flow logs in the Workspace.

  2. In the Inspector pane, open the Network tab.

  3. Open the properties of the NIC.

  4. Open the Flow Log drop-down.

  5. Select the trash bin icon to delete the flow log.

delete a flow log

6. In the confirmation message, select OK

7. Select Provision changes. After provisioning is complete, the network interface's flow logs are deleted and no longer captured.

Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to IONOS S3 Object Storage does not remove the bucket policies and log file access control lists (ACLs).

Last updated

Revision created

Minor update from the comments