Skip to main content
Sumo Logic

Install the Amazon VPC Flow Logs App and view the Dashboards

The Amazon VPC Flow Logs App provides Live and Interactive Dashboards that provide insight to rejections, traffic, activity and more.

Install the Sumo Logic App

Now that you have configured Amazon VPC Flow Logs, install the Sumo Logic App for Amazon VPC Flow Logs to take advantage of the preconfigured searches and dashboards to analyze your data. 

To install the app:

Locate and install the app you need from the App Catalog. If you want to see a preview of the dashboards included with the app before installing, click Preview Dashboards.

  1. From the App Catalog, search for and select the app. 
  2. To install the app, click Add to Library and complete the following fields.
    1. App Name. You can retain the existing name, or enter a name of your choice for the app.

    2. Data Source. Select either of these options for the data source.

      • Choose Source Category, and select a source category from the list.

      • Choose Enter a Custom Data Filter, and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).

    3. Advanced. Select the Location in Library (the default is the Personal folder in the library), or click New Folder to add a new folder.
    4. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. 

Panels will start to fill automatically. It's important to note that each panel slowly fills with data matching the time range query and received since the panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboards

Overview

Dashboard description: See an overview of IP traffic going to and from network interfaces in your VPC, including the geolocation of source addresses, the top 10 sources and destinations by MB, rejections per minute, and a breakdown of accepted vs. rejected connections.

Use case: Use this dashboard for an overview of traffic flowing through your network. It gives a list of top source and destination addresses, protocols and network interfaces which can be helpful in narrowing the ranges to only those IP addresses or protocols required for the application.

VPC-Overivew.png

Filter the Overview dashboard

You can filter the Overview dashboard by any combination of DestinatioinIP, SourceIP, action, dest_port, interfaceid, protocol, and src_port.

amazon-vpc-flow-logs-overview-filter.png

Accepts

Dashboard description: See information about accepted connections, including the geolocation of source addresses for accepted connections, the top 10 accepts by Interface ID and protocol, and the top 10 destination addresses.

Use case: Use this dashboard to track requests that are permitted by Security Groups and Network ACLs.One can compare bytes and packets received per minute with yesterday and last week. Similarly one can also track abnormal activity and volume spikes.

amazon-vpc-flow-logs-accepts.png

Filter the Accepts dashboard

In the filters pane, you can can configure these parameters for the outlier analysis performed by the "Accepts by Minute - Outlier" panel:  Consecutive, Threshold, Window, and Timeslice. 

You can also filter Accepts dashboard by any combination of DestinatiinIP, SourceIP, dest_port, interfaceid, protocol, and src_port.

amazon-vpc-flow-logs-accepts-filter.png

Rejects

Dashboard description: See information about rejected connections, including the geolocation of source addresses for rejected connections, the top 10 rejects by Interface ID and protocol, and the top 10 destination addresses.

Use case: Use this dashboard to track requests that are not permitted by Security Groups and Network ACLs.One can compare bytes and packets rejected per minute with yesterday and last week. One can monitor top source IP's and ports from where the requests are rejected.

VPC-Rejections.png

Filter the Rejects dashboard

In the filters pane, you can can configure these parameters for the outlier analysis performed by the "Rejects by Minute - Outlier" panel:  Consecutive, Threshold, Window, and Timeslice.

You can also filter the Rejects dashboard by any combination of DestinationIP, SourceIP, dest_port, interfaceid, protocol, and src_port.

amazon-vpc-flow-logs-rejects-filter.png

Traffic

Dashboard description: See traffic details, including the counts of unique traffic sources and destinations, the total accepted and rejected traffic, the top 10 source and destination ports, and analyses of bytes and packets transmitted.

Use case description: Use this dashboard for comparing the permissive and non permissive traffic based on ports, protocols and network interfaces. Also one can monitor abnormal behavior, current and future trends based on total packets and bytes flowing across the network. One can filter by Action to filter out data for permissive and non permissive traffic. Similarly one can filter by interfaceid, src_ip, dest_ip, src_port, dest_port to further filter out the traffic for analysis.

Filter the Traffic dashboard

In the filters pane, you can can configure these parameters for the outlier analysis performed by several panels:  Consecutive, Threshold, Window, and Timelice.

You can also filter the Traffic dashboard by any combination of DestinationIP, SourceIP,action, dest_port, interfaceid, protocol, and src_port.

amazon-vpc-flow-logs-traffic-filter.png

Security Groups

Dashboard description: See information about security groups, subnet and vpc along with flow direction inbound/outbound including the top vpc,subnet by bytes flow, top 5 security groups by packets, number of unique vpc,subnet and security group and destination port distribution by security group.

Key facts about this dashboard:

  • This dashboard is populated only if you chose VPC-JSON option for LogFormat when you deployed the CloudFormation template.
  • If your network interface has multiple IPv4 addresses and traffic is sent to a secondary private IPv4 address, the flow log displays the primary private IPv4 address in the destination IP address field.
  • The Direction field has three values:
    • internal. The SourceIP and DestinationIP both are from same subnet,
    • inbound. The DestinationIP matches the ENI's private IP address.
    • outbound. iThe SourceIP matches the ENI’s private IP address. 

Use case:  Use this dashboard for monitoring the traffic direction. Also use this dashboard for identifying over permissive and restrictive security groups.One can also use this to identify unused security groups and inbound rules by comparing the traffic associated with the security group to the security group rules in EC2 console.

amazon-vpc-flow-logs-security-groups.png

Filter the Security Groups dashboard

In the filters pane, you can can configure these parameters for the outlier analysis performed by several panels:  Consecutive, Threshold, Window, and Timeslice.

You can also filter the Security Groups dashboard by any combination of DestinationIP, SourceIP, action, dest_port, interfaceid, protocol, security_grp_id,  src_port, subnet_id, and vpc_id.

amazon-vpc-flow-logs-security-groups-filter.png