Viewing AWS flow log data

Flow logs that are received through Amazon Web Service (AWS) integrations include extra properties in the flow information.

About this task

In addition to the standard normalized flow properties, the following properties are shown for AWS flow logs:
  • Interface name (available for all IPFIX flows that send this field)
  • Region (available for all IPFIX flows that send this field)
  • Firewall Name (available for all IPFIX flows that send this field)
  • Firewall Event (enumerated, available for all IPFIX flows that send this field)
  • AWS Action (enumerated)
  • AWS Log Status (enumerated)
  • AWS Account ID
  • VPC ID New in 7.5.0
  • Subnet ID New in 7.5.0
  • Instance ID New in 7.5.0
The following table shows the string description for each of the enumerated fields:
Table 1. AWS Enumerated Strings
Enumerated field String description
Firewall Event
The numerical values for the Firewall Event field map to the following descriptions:
  • 0 = Ignore
  • 1 = Flow Created
  • 2 = Flow Deleted
  • 3 = Flow Denied
  • 4 = Flow Alert
  • 5 = Flow Update
AWS Action
The numerical values for the AWS Action field map to the following descriptions:
  • 0 = N/A
  • 1 = Accept
  • 2 = Reject
AWS Log Status
The numerical values for the AWS Log Status field map to the following descriptions:
  • 0 = N/A
  • 1 = OK
  • 2 = No Data
  • 3 = Skip Data

Procedure

To include the description for the enumerated property in your query results, you must include the LOOKUP function in your AQL search string.
  1. Click the Network Activity tab.
  2. In the Advanced Search box, build the AQL query that includes the LOOKUP for the field that you want to include in your search.

    The following examples show the LOOKUP statements for each of the enumerated fields in the AWS flow log: 

    LOOKUP('firewall event', "firewall event")
    LOOKUP('aws action', "aws action")
    LOOKUP('aws log status', "aws log status")
    For example, the following query uses a LOOKUP in the WHERE clause and groups the accepted flows by application:
    SELECT APPLICATIONNAME(applicationid), count(*) as NumFlows FROM flows 
WHERE LOOKUP('aws action', "aws action") == 'Accept' 
GROUP BY applicationid ORDER BY NumFlows DESC
    In this example, the query uses a LOOKUP in the SELECT clause to show the number of accepted flows vs rejected flows in the AWS environment:
    SELECT LOOKUP('aws action', "aws action"), count(*) as NumFlows 
FROM flows WHERE "aws action" > 0 GROUP BY "aws action" 
ORDER BY NumFlows DESC LAST 7 DAYS