This topic describes how to enable the flow log feature in the Virtual Private Cloud (VPC) console.

Prerequisites

Procedure

Important Before you can use a RAM user to enable the flow log feature, you must grant the required permissions to the RAM user. For more information, see RAM user authorization.
  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. The first time you use the flow log feature, click Authorize and complete the authorization as prompted.
    VPC flow logs can be written to Log Service only after you complete the authorization.
    Warning You cannot delete the RAM role or revoke the required permissions from the RAM role. Otherwise, flow logs cannot be delivered to Log Service.
  4. In the top navigation bar, select the region where the resource instance resides.
    For more information about the regions that support the flow log feature, see Feature release and supported regions.
  5. On the Flow Log page, click Create FlowLog.
  6. In the Create FlowLog dialog box, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Flow Log NameThe name of the flow log instance.
    Resource TypeSelect the type of the resource from which you want to capture traffic, and then select a resource. Valid values:
    • VPC: captures traffic information from all ENIs in the specified VPC. If the VPC contains Elastic Compute Service (ECS) instances that do not support flow logs, traffic information about ENIs of the ECS instances cannot be captured.
    • vSwitch: captures traffic information from all ENIs that are associated with the specified vSwitch. If the vSwitch contains ECS instances that do not support flow logs, traffic information about ENIs of the ECS instances cannot be captured.
    • ENI: captures traffic information about the specified ENI. If the ENI is associated with an ECS instance that does not support flow logs, traffic information about the ENI cannot be captured.

    ECS instances of the following types do not support flow logs:

    ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    To enable the flow log feature for ECS instances of the preceding families, you must upgrade the ECS instances. For more information, see Upgrade the instance types of subscription instances and Change the instance type of a pay-as-you-go instance.

    Resource GroupSelect the resource group to which the resource instance belongs.
    Resource InstanceSelect a resource instance from which you want to capture traffic.
    Traffic TypeThe type of traffic.
    • All: captures all traffic of the specified resource.
    • Allow: captures traffic that is allowed by the security group rules of the specified resource.
    • Drop: captures traffic that is denied by the security group rules of the specified resource.
    ProjectSelect a Log Service project that is used to manage resources related to VPC flow logs, such as Logstores and dashboards.
    • Select Project: Select an existing project.
    • Create Project: Create a project. For more information, see Create a project.
    LogstoreSelect a Logstore that is used to store VPC flow logs.
    • Select Logstore: Select an existing Logstore.
    • Create Logstore: Create a Logstore. For more information, see Create a Logstore.
    Turn on FlowLog Analysis Report FunctionIf you turn on this switch, Log Service enables the indexing feature for the Logstore and creates a dashboard.

    After indexing is enabled, you can query and analyze VPC flow logs.

    Sampling Interval (Minutes)The interval at which flow logs are sampled.
    DescriptionThe description of the flow log instance.

Related operations

The following table describes the operations that you can perform after you create a flow log instance.
Important You cannot delete, modify, enable, or disable a flow log instance that is created in the Log Service console.
OperationDescription
Modify the name or description of a flow log instanceOn the Flow Log page, find the flow log instance that you want to modify and click the Modify icon in the Instance ID/Name or Description column to modify the name or description of the flow log instance. For more information, see Modify a flow log.
Modify the sampling interval of a flow log instanceOn the Flow Log page, find the flow log instance that you want to modify and click Edit in the Sampling Interval (Minutes) column. For more information, see Modify a flow log.
Enable a flow log instanceOn the Flow Log page, find the flow log instance that you want to enable and click Enable in the Actions column. For more information, see Enable a flow log.
Disable a flow log instanceOn the Flow Log page, find the flow log instance that you want to disable and click Disable in the Actions column. For more information, see Disable a flow log.

After you disable a flow log instance, the flow log instance is not deleted. To capture traffic information about ENIs, re-enable the related flow log instance.

Delete a flow log instanceOn the Flow Log page, find the flow log instance that you want to delete and click Delete in the Actions column. For more information, see Delete a flow log.
Important If you delete a flow log instance, the project and pushed logs are not automatically deleted. To prevent additional fees, you can delete the corresponding project that is used to store flow logs in the Log Service console after you delete a flow log instance. For more information, see Delete a project.

What to do next

After Log Service collects VPC flow logs, you can query, analyze, download, ship, and transform the logs. You can also create alert rules for the logs. For more information, see Common operations on logs of Alibaba Cloud services.