Help Center/ Log Tank Service/ User Guide/ Log Visualization/ Visualizing Logs in Dashboards/ Dashboard Templates/ VPC Dashboard Template

Updated on 2024-11-18 GMT+08:00

View PDF

VPC Dashboard Template

A VPC is an isolated and private virtual network environment. You can configure the IP address ranges, subnets, and security groups, assign EIPs, and allocate bandwidth for a VPC. A VPC flow log records traffic information. It helps you monitor network traffic, analyze network attacks, and validate security group and Access Control List (ACL) rules.

LTS provides a one-stop wizard to collect VPC logs. It also enables structuring and offers a dashboard for VPC logs. The VPC Flow Logs dashboard displays the total number of actions, accepted bytes/packets, rejected bytes/packets, action sources, number of actions per minute, action distribution, flow log records distribution by status, carrier distribution of action sources, top 5 source/destination addresses by bytes, packets per minute, and ENIs of each protocol.

Prerequisites

Logs have been collected from VPC. For details, see Ingesting VPC Logs to LTS.
Logs have been structured. For details, see Setting Cloud Structuring Parsing.

Viewing VPC Flow Logs

Log in to the LTS console. In the navigation pane, choose Log Management.
In the Log Applications area, click VPC Flow Log Center and choose Go to the Dashboard.

Choose VPC dashboard templates under Dashboard Templates and click VPC Flow Logs to view the chart details.

Total Actions. The associated query and analysis statement is:

select CASE WHEN total_actions < 1000 THEN concat(cast( total_actions AS VARCHAR), 'Actions') WHEN total_actions < 1000 * 1000 THEN concat(cast(round(total_actions / 1000.0, 2) AS VARCHAR),'Thousand actions') WHEN total_actions < 1000000000 THEN concat(cast(round(total_actions / 1000000.0, 2) AS VARCHAR),'Million actions') WHEN total_actions / 1000.0 < 1000000000 THEN concat(cast(round(total_actions / 1000 / 1000000.0, 1) AS VARCHAR),'Billion actions') ELSE concat(cast(round(total_actions / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'Trillion actions') END AS "total_actions" from (select count(1) as total_actions where log_status='OK' and version=1)

Total Accepted Bytes. The associated query and analysis statement is:

select CASE WHEN accept_bytes < 1024 THEN concat(cast( accept_bytes AS VARCHAR), 'B') WHEN accept_bytes < 1024 * 1024 THEN concat(cast(round(accept_bytes / 1024, 2) AS VARCHAR),'KB') WHEN accept_bytes < 1000000000 THEN concat(cast(round(accept_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_bytes / 1000.0 < 1000000000 THEN concat(cast(round(accept_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_bytes" from (select sum(bytes) as accept_bytes where log_status='OK' and version=1 and action='ACCEPT')

Total Accepted Packets. The associated query and analysis statement is:

select CASE WHEN accept_packets < 1024 THEN concat(cast( accept_packets AS VARCHAR), 'B') WHEN accept_packets < 1024 * 1024 THEN concat(cast(round(accept_packets / 1024, 2) AS VARCHAR),'KB') WHEN accept_packets < 1000000000 THEN concat(cast(round(accept_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN accept_packets / 1000.0 < 1000000000 THEN concat(cast(round(accept_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(accept_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "accept_packets" from (select sum(packets) as accept_packets where log_status='OK' and version=1 and action='ACCEPT')

Total Rejected Bytes. The associated query and analysis statement is:

select CASE WHEN reject_bytes < 1024 THEN concat(cast( reject_bytes AS VARCHAR), 'B') WHEN reject_bytes < 1024 * 1024 THEN concat(cast(round(reject_bytes / 1024, 2) AS VARCHAR),'KB') WHEN reject_bytes < 1000000000 THEN concat(cast(round(reject_bytes /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_bytes / 1000.0 < 1000000000 THEN concat(cast(round(reject_bytes / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_bytes / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_bytes" from (select sum(bytes) as reject_bytes where log_status='OK' and version=1 and action='REJECT')

Total Rejected Packets. The associated query and analysis statement is:

select CASE WHEN reject_packets < 1024 THEN concat(cast( reject_packets AS VARCHAR), 'B') WHEN reject_packets < 1024 * 1024 THEN concat(cast(round(reject_packets / 1024, 2) AS VARCHAR),'KB') WHEN reject_packets < 1000000000 THEN concat(cast(round(reject_packets /1024.0 /1024, 2) AS VARCHAR),'MB') WHEN reject_packets / 1000.0 < 1000000000 THEN concat(cast(round(reject_packets / 1024 / 1000000.0, 2) AS VARCHAR),'GB') ELSE concat(cast(round(reject_packets / 1000.0 / 1000 / 1000 / 1000, 1) AS VARCHAR),'TB') END AS "reject_packets" from (select sum(packets) as reject_packets where log_status='OK' and version=1 and action='REJECT')

Action Sources. The associated query and analysis statement is:

select IP_TO_PROVINCE(srcaddr) as province, count(1) as total_actions where IP_TO_COUNTRY (srcaddr) = 'China'  group by province HAVING province not in ('','Reserved address','*')

Actions/Min. The associated query and analysis statement is:

select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as "t", "action", count(1) as "total_actions" where log_status='OK' and version=1 group by "t", "action" order by t asc limit 1000

Action Results. The associated query and analysis statement is:

select action, count(1) as total_actions where log_status='OK' and version=1 group by action

Flow Log Records By Status. The associated query and analysis statement is:

select log_status, count(1) as total_actions where version=1 group by log_status

Carriers of Action Source. The associated query and analysis statement is:

select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5

Top 5 Sources by Bytes. The associated query and analysis statement is:

select ip_to_provider(srcaddr) as src_addr_provider, count(1) as total_actions where log_status='OK' and version=1 group by src_addr_provider order by total_actions desc limit 5

Top 5 Destinations by Bytes. The associated query and analysis statement is:

select dstaddr, sum(bytes) as total_bytes where log_status='OK' and version=1 group by dstaddr order by total_bytes desc limit 5

Top 5 Destination Ports by Packets. The associated query and analysis statement is:

select dstport, sum(packets) as total_packets where log_status='OK' and version=1 group by dstport order by total_packets desc limit 5

Packets/Min by Protocol. The associated query and analysis statement is:

select TIME_FORMAT(date_trunc('minute', MILLIS_TO_TIMESTAMP("start" * 1000)),'MM-dd HH:mm') as t, protocol, sum(packets) as total_packets where log_status='OK' and version=1 group by t, protocol order by t asc limit 1000

ENIs. The associated query and analysis statement is:

select interface_id as "ID", sum(packets) as 'Data Packets', sum(bytes) as 'Data Packet Size' where log_status='OK' and version=1 group by "ID"

Parent topic: Dashboard Templates

Previous topic: Nginx Dashboard Templates

Next topic: WAF Dashboard Templates

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot