Use the Flow logs feature to capture data that is related to IPv4 and IPv6 network traffic flows. Flow logs can be enabled for each network interface of a Virtual Machine (VM) instance, as well as the public interfaces of the Network Load Balancer (NLB) and Network Address Translation (NAT) Gateway.
Flow logs can help you with a number of tasks such as:
Debugging connectivity and security issues
Monitoring network throughput and performance
Logging data to ensure that firewall rules are working as expected
Flow logs are stored in a customer’s IONOS S3 Object Storage bucket, which you configure when you create a flow log collector.
A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.
A flow consists of the following network information:
Source IP address
Destination IP address
Source port
Destination port
Internet protocol
Number of packets
Bytes
Capture start time
Capture end time
Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.
Flow log records are written to flow logs, which are then stored in a user-defined IONOS S3 Object Storage bucket from where they can be accessed.
You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.
Traffic flows in your network are captured in accordance with the defined rules.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.
No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to the IONOS S3 Object Storage.
The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz, for example, flowlogs/webserver01-1629810635.log.gz.
Flow logs are retained in the IONOS S3 Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS S3 Object Storage.
The IONOS S3 Object Storage owner of the object is an IONOS internal technical user named flowlogs@cloud.ionos.com (Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf).
Never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.
To use flow logs, you need to be aware of the following limitations:
You can't change the configuration of a flow log or the flow log record format after it's been created. In the flow log record, for example, you can't add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer.
A flow log record is a record of a network flow in your virtual data center (). By default, each record captures a network internet protocol (IP) traffic flow, groups it, and is enhanced with the following information:
Account ID of the resource
Unique identifier of the network interface
The flow's status, indicating whether it was accepted or rejected by the software-defined networking (SDN) layer
The flow log record is in the following format:
The following table describes all of the available fields for a flow log record.
| Field | Type | Description | Example Value |
|---|---|---|---|
The following are examples of flow log records that capture specific traffic flows. For information on how to create flow logs, see configure flow logs
In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 was accepted.
In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 was rejected.
The information and assistance available in this category make it easier for you to work with flow logs using the Data Center Designer (DCD). For the time being, you have the option of doing either of the following.
You can create flow logs for your network interfaces as well as the public interfaces of the Network Load Balancer and Network Address Translation (NAT) Gateway. Flow logs can publish data to your buckets in the IONOS S3 Object Storage.
After you have created and configured your bucket in the IONOS S3 Object Storage, you can create flow logs for your network interfaces.
Before you create a flow log, make sure that you meet the following prerequisites:
You are logged on to the DCD.
You are the contract owner or an administrator.
You have permissions to edit the required data center.
You have the create and manage Flow logs privilege.
The VDC is open.
You are the owner or have write access to permissions of an IONOS S3 Object Storage bucket.
You have an IONOS S3 Object Storage instance with a bucket that exists for your flow logs. To create an IONOS S3 Object Storage bucket, see the IONOS S3 Object Storage page.
Select the appropriate tab for the instance or interface for which you want to activate flow logs in the workspace.
In the Inspector pane, open the Network tab.
Open the properties of the Network Interface Controller (NIC).
Activate flow logs
Open the Flow Log drop-down and fill in the following fields:
For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
For Target S3 bucket, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
Characters / (slash) and %2F are not supported as object prefix characters.
You cannot edit/modify changes to the fields of a flow log rule after activating it.
There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer (NLB).
Result: An activated flow log rule is visualized by a green light on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.
A summary of the flow logs rule can be seen by opening the drop-down of the flow log and selecting the name of the flow log rule.
At this point, you may make further changes to your data center (optional).
When ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.
Flow logs can be provisioned on both new and previously provisioned instances.
Deleting a flow log
Prerequisites
Before you delete a flow log, make sure that you meet the following prerequisites:
You are logged on to the DCD.
You are the contract owner or an administrator.
You have permissions to edit the required data center.
You have the Create and manage Flow logs privilege.
The VDC is open.
You are the owner or have write access to permissions of an IONOS S3 Object Storage bucket.
Procedure
Select the relevant VM of the interface for which you want to delete the flow logs in the Workspace.
In the Inspector pane, open the Network tab.
Open the properties of the NIC.
Open the Flow Log drop-down.
Select the trash bin icon to delete the flow log.
6. In the confirmation message, select OK
7. Select Provision changes. After provisioning is complete, the network interface's flow logs are deleted and no longer captured.
Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service's console. In addition, deleting a flow log that publishes to IONOS S3 Object Storage does not remove the bucket policies and log file access control lists (ACLs).
In the Inspector pane, open the Settings tab.
To activate flow logs, open the Flow Log drop-down and fill in the following fields:
For Name, enter a name for the flow log rule. The name will also be the first part of the objects’ name prefix.
For Direction, choose Ingress to create flow logs for incoming traffic, Egress for outgoing traffic, or Bidirectional to create flow logs for all traffic.
For Action, choose Rejected to capture only traffic blocked by the firewall, Accepted to capture only traffic allowed by the firewall, or Any for all traffic.
For Target S3 bucket, enter a valid existing IONOS S3 Object Storage bucket name and an optional object name prefix where flow log records should be written.
Select Add flow log to complete the configuration of the flow log. It becomes applied once you provision your changes.
version
string
The flow log version. Version 2 is the default.
2
account-id
string
The IONOS Cloud account ID of the owner of the resource containing the interface for which flow logs are collected.
12345678
interface_id
string
The interface unique identifier (UUID) for which flow logs are collected.
7ffd6527-ce80-4e57-a949-f9a45824ebe2
srcaddr
string
The source address for incoming traffic, or the IPv4 address of the network interface for outgoing traffic.
172.17.1.100
dstaddr
string
The destination address for outgoing traffic, or the IPv4 address of the network interface for incoming traffic.
172.17.1.101
srcport
uint16
The source port from which the network flow originated.
59113
dstport
uint16
The destination port for the network flow.
20756
protocol
uin8
The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For more information, see Assigned Internet Protocol Numbers
6
packets
uint64
The number of packets transferred during the network flow capture window.
17
bytes
uint64
The number of bytes transferred during the network flow capture window.
1325
start
string
The timestamp, in UNIX EPOCH format, of when the first packet of the flow was received within the grouping interval.
1587983051
end
string
The timestamp, in UNIX EPOCH format, of when the last packet of the flow was received within the grouping interval.
1587983052
action
string
The action associated with the traffic:
ACCEPT: traffic accepted by the firewall
REJECT: traffic rejected by the firewall
ACCEPT
log-status
string
The flow log logging status:
OK: normal flow logging
SKIPDATA: Some flow log records were skipped during the grouping interval
OK
