VPC Flow Log

VPC flow logs help you collect traffic information about instances in a specified VPC, including inbound and outbound traffic. After creating a flow log, you can view the flow log records in the log group that you configured.

Flow logs can help you:

Monitor the traffic of security groups and network ACL and optimize their rules.
Monitor the traffic of network instances and analyze network attacks.
Determine the direction of the traffic to and from network interfaces.

The collection of flow log data does not affect the throughput or latency of your network. You can create or delete flow logs as required, which does not affect your network performance.

The VPC flow log function itself is free of charge, but you may be charged for other resources used. For example, if data is stored in Log Tank Service (LTS), you will be billed based on the LTS standards. For details, see the Log Tank Service User Guide.

VPC Flow Log Data

You can create a flow log for a network interface, subnet, or VPC. If you create a flow log for a subnet or a VPC, each network interface in the subnet or VPC is monitored.

The traffic of a monitored network interface is collected and flow log data is generated, including the network interface ID, source address, destination address, source port, destination port, and packet size of the traffic.

**Table 1** VPC flow log field description
Field	Description	Example
version	VPC flow log version.	1
project-id	ID of the project that the object monitored by flow log belongs to.	5f67944957444bd6bb4fe3b367de8f3d
interface-id	ID of the network interface that the flow log data is generated for.	1d515d18-1b36-47dc-a983-bd6512aed4bd
srcaddr	Source address.	192.168.0.154
dstaddr	Destination address.	192.168.3.25
srcport	Source port.	38929
dstport	Destination port.	53
protocol	Internet Assigned Numbers Authority (IANA) protocol number. For details, see Assigned Internet Protocol Numbers.	17
packets	The number of packets transferred during the capture window.	1
bytes	The number of bytes transferred during the capture window.	96
start	The time, in Unix seconds, of the start of the capture window.	1548752136
end	The time, in Unix seconds, of the end of the capture window.	1548752736
action	The action that is associated with the traffic. ACCEPT: The traffic was allowed by security groups or network ACLs. REJECT: The traffic was denied by security groups or network ACLs.	ACCEPT
log-status	The logging status of the VPC flow log. OK: Data is logged normally to the chosen destinations. NODATA: There was no traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be caused by an internal capacity constraint or an internal error. Example: When Filter is set to Accepted traffic, if there is accepted traffic, the value of log-status is OK. If there is no accepted traffic, the value of log-status is NODATA regardless of whether there is rejected traffic. If some accepted traffic is abnormally skipped, the value of log-status is SKIPDATA.	OK

Notes and Constraints

Currently, S2, M2, Hc2, H2, D2, P1, G3, Pi1, FP1, S3, C3, M3, H3, D3, Ir3, I3, Sn3, S6, E3, C3ne, M3ne, G5, P2v, Ai1, C6, M6, and D6 ECSs support VPC flow logs.
For details about ECS types, see ECS Types.
Each account can have up to 10 VPC flow logs in a region.

Parent Topic: VPC Flow Log

Previous topic: VPC Flow Log

Next topic: Creating a VPC Flow Log

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel