Virtual Private Cloud (VPC) provides the flow log feature to capture information about inbound and outbound traffic of an elastic network interface (ENI). You can use the flow log feature to check access control list (ACL) rules, monitor network traffic, and troubleshoot network errors. This topic describes how to use flow logs.

Operations

Create a flow log

Make sure that the following requirements are met:
  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. If this is the first time that you use the flow log feature, click Authorize and click Confirm. You must complete the authorization to ensure that flow logs can be imported to Log Service.
  4. In the top navigation bar, select the region where you want to create the flow log.
    For more information about regions that support the flow log feature, see Features and supported regions.
  5. On the Flow Log page, click Create FlowLog.
  6. In the Create FlowLog dialog box, set the following parameters and click OK.
    Parameter Description
    Name Specify a name for the flow log.

    The name must be 2 to 128 characters in length and can contain letters, digits, hyphens (-), and underscores (_). The name must start with a letter and cannot start with http:// or https://.

    Resource Type Select the type of resource from which you want to capture traffic, and then select the resource. Supported resource types:
    • VPC: captures traffic from all ENIs in the specified VPC. If the VPC contains Elastic Compute Service (ECS) instances that do not support flow logs, traffic information about ENIs of the ECS instances cannot be captured.
    • VSwitch: captures traffic from all ENIs associated with the specified vSwitch. If the vSwitch contains ECS instances that do not support flow logs, traffic information about ENIs of the ECS instances cannot be captured.
    • Network Interface: captures traffic information about the specified ENI. If the ENI is associated with an ECS instance that does not support flow logs, traffic information about the ENI cannot be captured.

    ECS instances of the following types do not support flow logs:

    ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    To use flow logs, upgrade the ECS instance. For more information, see Upgrade the instance types of subscription instances and Change the instance type of a pay-as-you-go instance.

    Traffic Type Select the type of traffic that you want to capture. Valid values:
    • All: captures traffic of the specified resource.
    • Allow: captures traffic that is allowed by security group rules and network ACL rules of the specified resource.
    • Drop: captures traffic that is denied by security group rules and network ACL rules of the specified resource.
    Project Specify a project to store captured traffic.
    • Select Project: Select an existing project to store the captured traffic.
    • Create Project: Create a project to store captured traffic.
    Logstore Specify a Logstore to store captured traffic.
    • Select Logstore: Select a Logstore from an existing project to store the captured traffic.
    • Create Logstore: Create a Logstore to store captured traffic.
    Turn on FlowLog Analysis Report Function Select this option to enable Log Service indexing and create a dashboard for the Logstore. Then, you can consume the log data by using SQL queries or analyze the log data in the dashboard.

    Log Service dashboards are free of charge. However, Log Service indexing is billed based on data transfer. For more information, see Log Service billing.

    Description Enter a description for the flow log.

    The description must be 2 to 256 characters in length and cannot start with http:// or https://.

View a flow log

After you create a flow log, you can view information about the flow log and the ENIs from which traffic is captured.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. You can view flow logs on the Flow Log page.
    View a flow log
  5. On the Flow Log page, find the flow log that you want to view and click View in the Resource column.
  6. In the Flow Log Collection Details panel, view the basic information about the flow log including the ID, status, and capture scope.
  7. In the Flow Log Collection Details panel, click the ENIs with Flow Logs Unsupported or All ENIs tab to view information about the ENIs.
    • ENIs with Flow Logs Unsupported: The ENIs from which traffic information cannot be captured.
    • All ENIs: All the ENIs that belong to the capture scope. For example, if flow logs capture traffic information about a VPC, this section displays all the ENIs in the VPC, including ENIs from which traffic information can be captured and cannot be captured.

Analyze a flow log

You can check ACL rules, monitor network traffic, and troubleshoot network errors by analyzing a flow log.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to analyze, and click the name of the Logstore.
    Flow log
  5. In the Log Service console, click Search & Analyze.
    After the flow log appears, you can view and analyze the captured data.

Modify a flow log

After you create a flow log, you can modify the name and description of the flow log.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to modify, and click the Modify icon in the Instance ID/Name column to modify the name of the flow log.
    The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter.
  5. Click Modify in the Description column to modify the description of the flow log.
    The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Enable a flow log

You can enable a flow log that is in the Inactive state. After you enable the flow log, the flow log starts to capture traffic information about ENIs.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log and click Enable in the Actions column.
    After the flow log is enabled, the state of the flow log changes to Active. Enable a flow log

Disable a flow log

You can temporarily stop a flow log from capturing traffic information about ENIs by disabling the flow log. After you disable the flow log, the flow log is not deleted. You can enable a flow log that is in the Inactive state to start to capture traffic information about ENIs again.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to disable and click Disable in the Actions column.
    After the flow log is disabled, the state of the flow log changes to Inactive. Disable a flow log

Delete a flow log

You can delete a flow log that is in the Active or Inactive state. After you delete the flow log, you can still view captured traffic information in the Log Service console.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose O&M and Monitoring > Flow Log.
  3. In the top navigation bar, select the region to which the flow log belongs.
  4. On the Flow Log page, find the flow log that you want to delete and click Delete in the Actions column.
  5. In the Delete FlowLog message, click OK.