1 of 6

Flow Logs

Flow logs feature captures IPv4 and IPv6 network traffic flows and helps debug connectivity issues and monitor network performance. Flow logs are stored in an IONOS Object Storage bucket and can be accessed for analysis and visualization. Traffic flow details include source/destination IP addresses, ports, protocol, packet count, bytes, and capture times. Logs are stored in intervals, prefixed with a timestamp, and can be retained or deleted manually or through automatic configuration. Configurations, once set, cannot be altered, and there is a limit of one flow log per network interface, Managed NAT Gateway, and Managed Network Load Balancer.

Product Overview

Quick Links

Developer Tools

Overview

Use the Flow logs feature to capture data that is related to IPv4 and IPv6 network traffic flows. Flow logs can be enabled for each network interface of a Virtual Machine (VM) instance, as well as the public interfaces of the Managed Network Load Balancer (NLB) and Managed Network Address Translation (NAT) Gateway.

Flow logs can help you with several tasks such as:

Debugging connectivity and security issues
Monitoring network throughput and performance
Logging data to ensure that firewall rules are working as expected

Flow logs are stored in a customer IONOS Object Storage bucket, which you configure when you create a flow log collector.

Note: Flow logs operate in user-owned buckets, capturing network traffic flow data for IPv4 and IPv6 addresses, but they are not supported in contract-owned buckets.

Network traffic flows

A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.

A flow consists of the following network information:

Source IP address
Destination IP address
Source port
Destination port
Internet protocol
Number of packets
Bytes
Capture start time
Capture end time

Core concepts

Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.
Flow log records are written to flow logs, which are then stored in a user-defined IONOS Object Storage bucket from where they can be accessed.
You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.
Traffic flows in your network are captured based on the defined rules.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.
Flow logs can capture network traffic flow data for IPv4 and IPv6 addresses in user-owned buckets.

Note: No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to the IONOS Object Storage.

The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz. Example: flowlogs/webserver01-1629810635.log.gz.
Flow logs are retained in the IONOS Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS Object Storage. For more information, see Delete objects.
The IONOS Object Storage owner of the object is an IONOS internal technical user named [email protected] with Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf.

Warning: It is advisable to never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.

Limitations

This section lists the limitations of Flow logs:

You cannot change the configuration of a flow log or the flow log record format after it has been created. In the flow log record, you cannot add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
Flow logs do not operate on contract-owned buckets. However, flow logs can capture network traffic flow data for IPv4 and IPv6 addresses in user-owned buckets.
There is a limit of one flow log created per NIC, Managed NAT Gateway, and Managed Network Load Balancer.

How-Tos

Configure Flow Logs

You can create flow logs using the DCD for your network interfaces as well as the public interfaces of the Managed Network Load Balancer (NLB) and Managed NAT Gateway. Flow logs can publish data to your buckets in the IONOS Object Storage.

After you have created and configured your bucket in the IONOS Object Storage, you can create flow logs for your network interfaces.

Prerequisites:

Only contract administrators, owners, and users with the Create Flow logs permission can create a flow log. Ensure that you have the necessary permission and sufficient memory available.
Make sure you have the corresponding privilege to enable IONOS Object Storage. Only contract administrators and owners can enable Object Storage.

Activate flow logs

2. Open the required data center.

3. Go to the Server or Cubes element and select the Network tab. Open the properties of the Network Interface Controller (NIC).

4. Open the Flow Log drop-down list and fill in the fields. Provide an appropriate name for the flow log rule in the Name field. The name will also be the first part of the object name prefix.

5. To create flow logs for all traffic, choose a Direction from the drop-down list. Choose either of the following to capture the traffic: * Ingress: To capture flow logs for incoming traffic. * Egress: To capture flow logs for outgoing traffic. * Bidirectional: To capture flow logs in both directions, inbound and outbound. 6. Select an Action that will be taken on a network packet or flow as observed by the flow logging system from the drop-down list. Choose either of the following actions: * Rejected: To capture only traffic blocked by the firewall. * Accepted: To capture only traffic allowed by the firewall. * Any: To capture all of the traffic. 7. Enter a valid existing IONOS Object Storage bucket name in the Target Object Storage bucket field. This is an optional object name prefix where flow log records should be written.

8. Select Add flow log to complete the configuration of the flow log. Once you provision your changes, it will be available .

Note:

Characters / (slash) and %2F are not supported as object prefix characters.
You cannot edit fields of a flow log rule after activating it.
There is a limit of one flow log created per NIC, Managed NAT Gateway, and Managed NLB.

Result: You can view the activated flow log rule indicated by a green light on the NIC properties. The green light indicates that the configuration has been validated and is valid for provisioning.

Select the Flow Log drop-down list and choose the name of the flow log rule for which you want to view the summary.

(Optional) At this point, you may make further changes to your data center.

Once ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.

Note: Flow logs can be provisioned on both new and previously provisioned instances.

2. Open the required data center.

3. Go to the Managed NAT Gateway or Managed Network Load Balancer element and select the Settings tab.

4. Provide an appropriate name for the flow log rule in the Name field. The name will also be the first part of the objects’ name prefix.

5. To create flow logs for all traffic, choose a Direction from the drop-down list. Choose either of the following to capture the traffic: * Ingress: To capture flow logs for incoming traffic. * Egress: To capture flow logs for outgoing traffic. * Bidirectional: To capture flow logs in both directions, inbound and outbound. 6. Select an Action to be performed on a network packet or flow as observed by the flow logging system from the drop-down list. Choose either of the following actions: * Rejected: To capture only traffic blocked by the firewall. * Accepted: To capture only traffic allowed by the firewall. * Any: To capture all of the traffic. 7. Enter a valid existing IONOS Object Storage bucket name in the Target Object Storage bucket field. This is an optional object name prefix where flow log records should be written.

8. Select Add flow log to complete the configuration of the flow log. Once you provision your changes, it will be available.

Delete a Flow Log

Prerequisites:

Only contract administrators, owners, and users with the Create Flow logs permission can create a flow log. Ensure that you have the necessary permission and sufficient memory available.
Make sure you have the corresponding privilege to enable IONOS Object Storage. Only contract administrators and owners can enable Object Storage.

To delete a flow log, follow these steps:

2. Open the required data center.

3. Select the relevant VM for which you want to delete the flow logs. Open the properties of the Network Interface Controller (NIC) and select the Network tab.

4. Select the Flow Log drop-down list.

5. Select the to delete the flow log. Confirm your selection by selecting OK.

6. Select Provision changes. After provisioning, the network interface's flow logs are deleted successfully and no longer captured.

Result: The flow log is deleted successfully.

Note: Deleting a flow log does not delete the existing log streams from your bucket. Existing flow log data must be deleted using the respective service console. In addition, deleting a flow log that publishes to IONOS Object Storage does not remove the bucket policies and log file Access Control Lists (ACLs).

Flow Log Record

A flow log record is a record of a network flow in your VDC. By default, each record captures a network Internet Protocol (IP) Address traffic flow, groups it, and is enhanced with the following information:

Account ID of the resource
Unique identifier of the network interface
The flow status, indicating whether it was accepted or rejected by the Software Defined Network (SDN) layer

The flow log record is in the following format:

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

Available fields

The following table describes all of the available fields for a flow log record.

Field

Type

Description

Example Value

version

string

The flow log version. Version 2 is the default.

account-id

string

The IONOS Cloud account ID of the owner of the resource containing the interface for which flow logs are collected.

12345678

interface_id

string

The interface unique identifier (UUID) for which flow logs are collected.

7ffd6527-ce80-4e57-a949-f9a45824ebe2

srcaddr

string

The source address for incoming traffic, or the IPv4 address of the network interface for outgoing traffic.

172.17.1.100

dstaddr

string

The destination address for outgoing traffic, or the IPv4 address of the network interface for incoming traffic.

172.17.1.101

srcport

uint16

The source port from which the network flow originated.

59113

dstport

uint16

The destination port for the network flow.

20756

protocol

uin8

The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For more information, see .

packets

uint64

The number of packets transferred during the network flow capture window.

bytes

uint64

The number of bytes transferred during the network flow capture window.

1325

start

string

The timestamp, in UNIX EPOCH format, of when the first packet of the flow was received within the grouping interval.

1587983051

end

string

The timestamp, in UNIX EPOCH format, of when the last packet of the flow was received within the grouping interval.

1587983052

action

string

The action associated with the traffic:

ACCEPT: traffic accepted by the firewall

REJECT: traffic rejected by the firewall

log-status

string

The flow log logging status:

OK: normal flow logging

SKIPDATA: Some flow log records were skipped during the grouping interval

Flow log record example

The following are the examples of flow log records that capture specific traffic flows. For information on how to create flow logs, see Configure Flow Logs.

Accepted record

In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 is accepted.

2 12345678 7ffd6527-ce80-4e57-a949-f9a45824ebe2 172.17.1.100 172.17.1.101 59113 20756 6 17 1325 1587983051 1587983052 ACCEPT OK

Rejected record

In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 is rejected.

2 12345678 7ffd6527-ce80-4e57-a949-f9a45824ebe2 172.17.1.100 172.17.1.101 59113 20756 6 17 1325 1587983051 1587983052 REJECT OK

Overview

Flow logs can help you with several tasks such as:

Debugging connectivity and security issues
Monitoring network throughput and performance
Logging data to ensure that firewall rules are working as expected

Flow logs are stored in a customer IONOS Object Storage bucket, which you configure when you create a flow log collector.

Note: Flow logs operate in user-owned buckets, capturing network traffic flow data for IPv4 and IPv6 addresses, but they are not supported in contract-owned buckets.

Network traffic flows

A flow consists of the following network information:

Source IP address
Destination IP address
Source port
Destination port
Internet protocol
Number of packets
Bytes
Capture start time
Capture end time

Core concepts

Flow log data for a monitored network interface is stored as flow log records, which are log events containing fields that describe the traffic flow. For more information, see Flow Log Record.
Flow log records are written to flow logs, which are then stored in a user-defined IONOS Object Storage bucket from where they can be accessed.
You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.
Traffic flows in your network are captured based on the defined rules.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record.
Flow logs can capture network traffic flow data for IPv4 and IPv6 addresses in user-owned buckets.

The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz. Example: flowlogs/webserver01-1629810635.log.gz.
Flow logs are retained in the IONOS Object Storage bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using a Lifecycle Policy for an object in the IONOS Object Storage. For more information, see Delete objects.
The IONOS Object Storage owner of the object is an IONOS internal technical user named [email protected] with Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf.

Limitations

This section lists the limitations of Flow logs:

You cannot change the configuration of a flow log or the flow log record format after it has been created. In the flow log record, you cannot add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
Flow logs do not operate on contract-owned buckets. However, flow logs can capture network traffic flow data for IPv4 and IPv6 addresses in user-owned buckets.
There is a limit of one flow log created per NIC, Managed NAT Gateway, and Managed Network Load Balancer.

Configure Flow Logs

After you have created and configured your bucket in the IONOS Object Storage, you can create flow logs for your network interfaces.

Prerequisites:

Only contract administrators, owners, and users with the Create Flow logs permission can create a flow log. Ensure that you have the necessary permission and sufficient memory available.
Make sure you have the corresponding privilege to enable IONOS Object Storage. Only contract administrators and owners can enable Object Storage.

Activate flow logs

2. Open the required data center.

3. Go to the Server or Cubes element and select the Network tab. Open the properties of the Network Interface Controller (NIC).

8. Select Add flow log to complete the configuration of the flow log. Once you provision your changes, it will be available .

Note:

Characters / (slash) and %2F are not supported as object prefix characters.
You cannot edit fields of a flow log rule after activating it.
There is a limit of one flow log created per NIC, Managed NAT Gateway, and Managed NLB.

Select the Flow Log drop-down list and choose the name of the flow log rule for which you want to view the summary.

(Optional) At this point, you may make further changes to your data center.

Once ready, select Provision changes. After provisioning is complete, the network interface's flow logs are activated.

Note: Flow logs can be provisioned on both new and previously provisioned instances.

2. Open the required data center.

3. Go to the Managed NAT Gateway or Managed Network Load Balancer element and select the Settings tab.

4. Provide an appropriate name for the flow log rule in the Name field. The name will also be the first part of the objects’ name prefix.

5. To create flow logs for all traffic, choose a Direction from the drop-down list. Choose either of the following to capture the traffic: * Ingress: To capture flow logs for incoming traffic. * Egress: To capture flow logs for outgoing traffic. * Bidirectional: To capture flow logs in both directions, inbound and outbound. 6. Select an Action to be performed on a network packet or flow as observed by the flow logging system from the drop-down list. Choose either of the following actions: * Rejected: To capture only traffic blocked by the firewall. * Accepted: To capture only traffic allowed by the firewall. * Any: To capture all of the traffic. 7. Enter a valid existing IONOS Object Storage bucket name in the Target Object Storage bucket field. This is an optional object name prefix where flow log records should be written.

8. Select Add flow log to complete the configuration of the flow log. Once you provision your changes, it will be available.

Flow Log Record

Account ID of the resource
Unique identifier of the network interface
The flow status, indicating whether it was accepted or rejected by the Software Defined Network (SDN) layer

The flow log record is in the following format:

<version> <account-id> <interface-id> <srcaddr> <dstaddr> <srcport> <dstport> <protocol> <packets> <bytes> <start> <end> <action> <log-status>

Available fields

The following table describes all of the available fields for a flow log record.

Field

Type

Description

Example Value

version

string

The flow log version. Version 2 is the default.

account-id

string

The IONOS Cloud account ID of the owner of the resource containing the interface for which flow logs are collected.

12345678

interface_id

string

The interface unique identifier (UUID) for which flow logs are collected.

7ffd6527-ce80-4e57-a949-f9a45824ebe2

srcaddr

string

The source address for incoming traffic, or the IPv4 address of the network interface for outgoing traffic.

172.17.1.100

dstaddr

string

The destination address for outgoing traffic, or the IPv4 address of the network interface for incoming traffic.

172.17.1.101

srcport

uint16

The source port from which the network flow originated.

59113

dstport

uint16

The destination port for the network flow.

20756

protocol

uin8

The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. For more information, see .

packets

uint64

The number of packets transferred during the network flow capture window.

bytes

uint64

The number of bytes transferred during the network flow capture window.

1325

start

string

The timestamp, in UNIX EPOCH format, of when the first packet of the flow was received within the grouping interval.

1587983051

end

string

The timestamp, in UNIX EPOCH format, of when the last packet of the flow was received within the grouping interval.

1587983052

action

string

The action associated with the traffic:

ACCEPT: traffic accepted by the firewall

REJECT: traffic rejected by the firewall

log-status

string

The flow log logging status:

OK: normal flow logging

SKIPDATA: Some flow log records were skipped during the grouping interval

Flow log record example

The following are the examples of flow log records that capture specific traffic flows. For information on how to create flow logs, see Configure Flow Logs.

Accepted record

In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 is accepted.

2 12345678 7ffd6527-ce80-4e57-a949-f9a45824ebe2 172.17.1.100 172.17.1.101 59113 20756 6 17 1325 1587983051 1587983052 ACCEPT OK

Rejected record

In this example, traffic to the network interface 7ffd6527-ce80-4e57-a949-f9a45824ebe2 for the account 12345678 is rejected.

2 12345678 7ffd6527-ce80-4e57-a949-f9a45824ebe2 172.17.1.100 172.17.1.101 59113 20756 6 17 1325 1587983051 1587983052 REJECT OK