Skip to main content
Sumo Logic

Collect Amazon VPC Flow Logs using AWS S3 Source

Instructions for collecting Amazon VPC Flow Logs using an AWS S3 Source.

This page has instructions for collecting Amazon VPC Flow Logs using an AWS S3 source. If you prefer to collect VPC logs using a CloudFormation template, see Collect Amazon VPC Flow Logs using a CloudFormation Template.

Step 1: Enable Amazon VPC Flow Logs 

  1. You can use an existing S3 bucket, or create a new one, as described in Create a S3 bucket in AWS help.
  2. Create flow logs for your VPCs, subnets, or network interfaces. For instructions, see Creating a Flow Log that Publishes to Amazon S3 in AWS help.
  3. Confirm that logs are being delivered to the S3 bucket. Log files are saved to the bucket using following folder structure:
    bucket_ARN/optional_folder/AWSLogs/aws_account_id/vpcflowlogs/region/year/month/day/log_file_name.log.gz

Step 2: Configure AWS S3 source 

  1. Grant Access to an AWS S3 Bucket.
  2. Enable logging using the AWS Management Console.
  3. When you create an AWS Source, you associate it with a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use, or create a new Hosted Collector. For instructions, see Configure a Hosted Collector.
  4. Add an AWS Source for the S3 Source to Sumo Logic. When you configure the S3 source:
    1. In the Advanced Options for Logs section, uncheck the Detect messages spanning multiple lines option.
    2. In the Processing Rules for Logs section, add an Exclude messages that match processing rule to ignore the following file header lines:
      version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
      vpc-exclude-rule.png