Enable Flow Logs
Overview
Use the Flow logs feature to capture data that is related to IPv4 and IPv6 network traffic flows. Flow logs can be enabled for each network interface of a Virtual Machine (VM) instance, as well as the public interfaces of the Network Load Balancer (NLB) and Network Address Translation (NAT) Gateway.
Flow logs can help you with a number of tasks such as:
Debugging connectivity and security issues
Monitoring network throughput and performance
Logging data to ensure that firewall rules are working as expected
Flow logs are stored in a customer’s IONOS S3 Object Storage bucket, which you configure when you create a flow log collector.
Network traffic flows
A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.
A flow consists of the following network information:
Source IP address
Destination IP address
Source port
Destination port
Internet protocol
Number of packets
Bytes
Capture start time
Capture end time
Flow log basics
Core concepts
Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.
Flow log records are written to flow logs, which are then stored in a user-defined IONOS S3 Object Storage bucket from where they can be accessed.
You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.
Traffic flows in your network are captured in accordance with the defined rules.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.
No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to the IONOS S3 Object Storage.
The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension
.log.gz
, for example, flowlogs/webserver01-1629810635.log.gz.Flow logs are retained in the IONOS S3 Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS S3 Object Storage.
The IONOS S3 Object Storage owner of the object is an IONOS internal technical user named flowlogs@cloud.ionos.com (Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf).
Never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.
Limitations
To use flow logs, you need to be aware of the following limitations:
You can't change the configuration of a flow log or the flow log record format after it's been created. In the flow log record, for example, you can't add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer.
Last updated