Skip to main content
Sumo Logic

Collect Amazon VPC Flow Logs


  1. Enable Amazon VPC Flow Logs

    You can enable Amazon Virtual Private Cloud (VPC) Flow Logs from the Amazon Web Services (AWS) Management Console, the AWS Command Line Interface (CLI), or by making calls to the Elastic Compute Cloud (EC2) API.

    To enable Amazon Flow Logs for your VPC, complete the following steps.

  2. Set up the VPC
    1. Go to VPC management, and go to the VPC list.
    2. Select the VPC.
    3. Click Actions > Create Flow Log.
    4. In Create Flow Log, select a Role to use Flow logs.
      1. If you haven't set up IAM permissions, click Set Up Permissions.
        Create Flow Log
      2. From the new tab, VPC Flow Logs is requesting permissions to use resources in your account:
      3. From the IAM Role, select Create a new IAM Role.
      4. Add a Role Name that describes your logs such as VPC-Flow-Logs.
      5. Click Allow.
    5. Back in Create Flow Log, enter the new role you created in Role.
    6. In Destination Log Group enter a descriptive name such as VPCFlowLogs.
    7. Click Create Flow Log. It can take up to an hour for the log group to show up in CloudWatch Logs.
  3. Configure a Hosted Collector in Sumo Logic.
  4. Configure an HTTP Source in Sumo Logic.
  5. Download Sumo's CloudFormation template and deploy your stack following the instructions on Amazon CloudWatch Logs, starting with the Download the CloudFormation template section. 
  6. Subscribe the Lambda function to the VPC Flow Log group.
    1. Select the VPC Flow Log group in the CloudWatch Logs management panel. This is the Log Group created in the first part (VPCFlowLogs was used).
    2. Click Actions and select Stream to Lambda Function.
    3. Select the Lambda function you created (we used sumo-vpc in our Lambda example).
    4. Click Next.
    5. Select JSON for Log Format.
    6. Click Next.
    7. Click Start Streaming. Wait a few minutes, and check to make sure your logs are flowing into Sumo.