# Configure Flow Logs

The information and assistance available in this category make it easier for you to work with flow logs using the [<mark style="color:blue;">Data Center Designer</mark>](https://docs.ionos.com/support/general-information/glossary-of-terms#data-center-designer) (DCD). For the time being, you have the option of doing either of the following.

### Creating a flow log

You can create flow logs for your network interfaces as well as the public interfaces of the Network Load Balancer and Network Address Translation ([<mark style="color:blue;">NAT</mark>](https://docs.ionos.com/support/general-information/glossary-of-terms#nat-gateway)) Gateway. Flow logs can publish data to your buckets in the [<mark style="color:blue;">IONOS S3 Object Storage</mark>](https://docs.ionos.com/dcd/object-storage/object-storage).

After you have created and configured your bucket in the IONOS S3 Object Storage, you can create flow logs for your network interfaces.

#### Prerequisites

Before you create a flow log, make sure that you meet the following prerequisites:

* You are logged on to the [<mark style="color:blue;">DCD</mark>](https://docs.ionos.com/cloud/getting-started/basic-tutorials/log-in-dcd).
* You are the [<mark style="color:blue;">contract owner or an administrator</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#roles).
* You have [<mark style="color:blue;">permissions</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#access-rights) to edit the required data center.
* You have the [<mark style="color:blue;">create and manage Flow logs</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#managing-permissions) privilege.
* The VDC is open.
* You are the owner or have write access to permissions of an [<mark style="color:blue;">IONOS S3 Object Storage bucket</mark>](https://docs.ionos.com/dcd/object-storage/access-management#permissions).
* You have an IONOS S3 Object Storage instance with a bucket that exists for your flow logs. To create an IONOS S3 Object Storage bucket, see the [<mark style="color:blue;">IONOS S3 Object Storage</mark>](https://docs.ionos.com/dcd/object-storage/buckets-and-objects#creating-a-bucket) page.

#### **Procedure**

Select the appropriate tab for the instance or interface for which you want to activate flow logs in the workspace.

{% tabs %}
{% tab title="Server & Cubes" %}

1. In the Inspector pane, open the **Network** tab.
2. Open the properties of the Network Interface Controller (NIC).

![Accessing flow logs](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-3d39a554e0de28c7c9c69e17c6df328900624e7e%2Fnic.png?alt=media)

**Activate flow logs**

![Configure flow logs](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-19388b2b26851fd51a75c79f180a275cb0d4f9b1%2Factivate_flow_logs.png?alt=media)

Open the **Flow Log** drop-down and fill in the following fields:

1. For **Name**, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
2. For **Direction**, choose **Ingress** to create flow logs for incoming traffic, **Egress** for outgoing traffic, or **Bidirectional** to create flow logs for all traffic.
3. For **Action**, choose **Rejected** to capture only traffic blocked by the firewall, **Accepted** to capture only traffic allowed by the firewall, or **Any** for all traffic.
4. For **Target S3 bucket**, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
5. Select **Add flow** **log** to complete the configuration of the flow log. It becomes applied once you provision your changes.

{% hint style="info" %}

* Characters **/** (slash) and **%2F** are not supported as object prefix characters.
* You cannot edit/modify changes to the fields of a flow log rule after activating it.
* There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer (NLB).
  {% endhint %}

**Result:** An activated flow log rule is visualized by a **green light** on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.

![valid flow log rule](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-c6c21763a287e0ea1eb80724d377a1ef636294b4%2Fflowlog_green.png?alt=media)

A summary of the flow logs rule can be seen by opening the drop-down of the flow log and selecting the name of the flow log rule.

![flow log summary](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-d8ac7abcc2be3f9721edaeee6d0804b1b6f5e3df%2Fflowlog_message.png?alt=media)

At this point, you may make further changes to your data center (optional).

When ready, select **Provision changes**. After provisioning is complete, the network interface's flow logs are activated.

{% hint style="info" %}
Flow logs can be provisioned on both new and previously provisioned instances.
{% endhint %}

**Deleting a flow log**

**Prerequisites**

Before you delete a flow log, make sure that you meet the following prerequisites:

* You are logged on to the [<mark style="color:blue;">DCD</mark>](https://docs.ionos.com/dcd/getting-started/first-steps/log-in)<mark style="color:blue;">.</mark>
* You are the [<mark style="color:blue;">contract owner or an administrator.</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#roles)
* You have [<mark style="color:blue;">permissions</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#access-rights) to edit the required data center.
* You have the [<mark style="color:blue;">Create and manage Flow logs</mark>](https://docs.ionos.com/dcd/administration/users-and-permissions#managing-permissions) privilege.
* The VDC is [<mark style="color:blue;">open</mark>](https://docs.ionos.com/dcd/getting-started/data-centers#view-and-edit-an-existing-vdc).
* You are the owner or have write access to permissions of an [<mark style="color:blue;">IONOS S3 Object Storage bucket</mark>](https://docs.ionos.com/dcd/object-storage/access-management#permissions).

**Procedure**

1. Select the relevant VM of the interface for which you want to delete the flow logs in the Workspace.
2. In the Inspector pane, open the **Network** tab.
3. Open the properties of the NIC.
4. Open the **Flow Log** drop-down.
5. Select the trash bin icon to delete the flow log.

![delete a flow log](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-ceaef92c33d7e1d99bd890287b7e78bacd1f1b38%2Fdelete_flowlog.png?alt=media)

6\. In the confirmation message, select **OK**

7\. Select **Provision changes**. After provisioning is complete, the network interface's flow logs are deleted and no longer captured.

{% hint style="info" %}
Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to IONOS S3 Object Storage does not remove the bucket policies and log file access control lists (ACLs).
{% endhint %}
{% endtab %}

{% tab title="NAT Gateway & Network Load Balancer" %}

1. In the Inspector pane, open the **Settings** tab.

![](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-4fc341cf982002a198b8abfe01bb7df61eb1af1b%2Fsettings_tab_inspector.png?alt=media)

To activate flow logs, open the **Flow Log** drop-down and fill in the following fields:

![](https://1737632334-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MifAzdGvKLDTtvJP8sm%2Fuploads%2Fgit-blob-70bad501a54ffbe245225cc397ca6bc032094e1c%2Factivate_flowlog_dropdown.png?alt=media)

1. For **Name**, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
2. For **Direction**, choose **Ingress** to create flow logs for incoming traffic, **Egress** for outgoing traffic, or **Bidirectional** to create flow logs for all traffic.
3. For **Action**, choose **Rejected** to capture only traffic blocked by the firewall, **Accepted** to capture only traffic allowed by the firewall, or **Any** for all traffic.
4. For **Target S3 bucket**, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
5. Select **Add flow** **log** to complete the configuration of the flow log. It becomes applied once you provision your changes.
   {% endtab %}
   {% endtabs %}