Flow logs

Overview

Flow logs is a feature that allows you to capture data related to IPv4 network traffic flows. Flow logs can be enabled for any network interface of a virtual machine (VM) instance and Network Load Balancer, as well as the public interfaces of the Network Address Translation (NAT) Gateway.
Flow logs can help you with a number of tasks such as:
    Debugging connectivity and security issues
    Monitoring network throughput and performance
    Logging data to ensure that firewall rules are working as expected
Flow logs are stored in a customer’s IONOS Cloud S3 bucket, which you configure when you create a flow log collector.

Network traffic flows

A network traffic flow is a sequence of packets sent from a specific source to a specific unicast, anycast, or multicast destination. A flow could be made up of all packets in a specific transport connection or a media stream. However, a flow is not always mapped to a transport connection one-to-one.
A flow consists of the following network information:
    Source IP address
    Destination IP address
    Source port
    Destination port
    Internet protocol
    Number of packets
    Bytes
    Capture start time
    Capture end time

Flow log basics

Core concepts

Flow log data for a monitored network interface is stored inside of flow log records, which are log events that contain fields that describe the traffic flow. For more information, see flow log record.
Flow logs are collected at a 10-minute rotation interval and have no impact on customer resources or network performance. Statistics about a traffic flow are collected and aggregated during this time period to create a flow log record. Traffic flows in your network are captured in accordance with defined rules.

Storage

Flow log records are written to flow logs, which are then stored in a user-defined IONOS Cloud S3 Object Storage bucket from where they can be accessed.
The flow log file's name is prefixed with an optional object prefix, followed by a Unix timestamp and the file extension .log.gz, for example, flowlogs/webserver01-1629810635.log.gz.
The S3 Object Storage owner of the object is an IONOS Cloud internal technical user named [email protected] (Canonical ID 31721881|65b95d54-8b1b-459c-9d46-364296d9beaf).
Flow logs are retained in the S3 bucket until they are manually deleted. Alternatively, you can configure objects to be deleted automatically after a predefined time period using an S3 object Lifecycle Policy.
No flow log file will be created if no flows for a particular bucket are received during the log rotation interval. This prevents empty objects from being uploaded to S3.
Never delete the IONOS Cloud internal technical user from your bucket as this disables the flow log service. The bucket owner also receives full permissions to the flow log objects per default.

Third-party tools

You can export, process, analyze, and visualize flow logs using tools, such as Security Information and Event Management (SIEM) systems, Intrusion Detection Systems (IDS), Cyberduck, Logstash, etc.

Limitations

To use flow logs, you need to be aware of the following limitations:
    You can't change the configuration of a flow log or the flow log record format after it's been created. In the flow log record, for example, you can't add or remove fields. Instead, delete the flow log and create a new one with the necessary settings.
    There is a limit of one flow log created per NIC, NAT Gateway, and Network Load Balancer.
Last modified 23d ago