CreateFlowlog - Cloud Enterprise Network - Alibaba Cloud Documentation Center

Creates a flow log.

Operation description

You can use flow logs to capture traffic that is transmitted over transit router instances and network instance connections. Network instance connections include inter-region connections, VPC connections, VPN connections, ECR connections, and VBR connections. Before you create a flow log, note the following:

Only Enterprise Edition transit routers support flow logs.
For inter-region connections, flow logs capture only outbound traffic from the transit router. Inbound traffic is not captured.

For example, an Elastic Compute Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through Cloud Enterprise Network (CEN). If you create a flow log for the transit router in the US (Virginia) region, you can view messages sent from the ECS instance in the US (Virginia) region to the ECS instance in the US (Silicon Valley) region in the Simple Log Service console. However, you cannot view messages sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region. To view these messages, you must also create a flow log for the transit router in the US (Silicon Valley) region.
When a flow log captures traffic of a VPC connection, it captures only traffic transmitted over the transit router elastic network interface (ENI). To capture traffic transmitted over other ENIs in the VPC, see VPC flow log overview.
CreateFlowlog is an asynchronous operation. After you send a request, the system returns a flow log ID. However, the flow log is not immediately created. The system creates the flow log in the background. You can call the DescribeFlowlogs operation to query the status of a flow log.
- If a flow log is in the Creating state, it is being created. In this state, you can only query the flow log.
- If a flow log is in the Active state, it is created.

Prerequisites

Before you create a flow log for a resource, make sure that the resource has been created. To create a resource, see the following topics:

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cen:CreateFlowlog

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. Generate a value for this parameter from your client. Make sure that the value is unique for each request. The token can contain only ASCII characters. Note If you do not specify this parameter, the system automatically uses the request ID as the client token. The request ID may be different for each request.	123e4567-e89b-12d3-a456-42665544****
RegionId	string	Yes	The region ID of the flow log. You can call the DescribeChildInstanceRegions operation to obtain the region ID.	cn-hangzhou
FlowLogName	string	No	The name of the flow log. The name can be empty or 1 to 128 characters in length. It cannot start with `http://` or `https://`.	myFlowlog
Description	string	No	The description of the flow log. The description can be empty or 1 to 256 characters in length. It cannot start with `http://` or `https://`.	myFlowlog
CenId	string	Yes	The ID of the CEN instance.	cen-7qthudw0ll6jmc****
ProjectName	string	No	The project that is used to store the captured traffic. If you have already created a project in the current region, enter the name of the project. If you have not created a project in the current region, you can specify a custom name for the project. The system automatically creates the project. A project name must be globally unique within an Alibaba Cloud region and cannot be modified after the project is created. The name must meet the following requirements: The name must be globally unique. It can contain only lowercase letters, digits, and hyphens (-). It must start and end with a lowercase letter or a digit. It must be 3 to 63 characters in length.	flowlog-project
LogStoreName	string	No	The Logstore that is used to store the captured traffic. If you have already created a Logstore in the current region, enter the name of the Logstore. If you have not created a Logstore in the current region, you can specify a custom name for the Logstore. The system automatically creates the Logstore. The name of the Logstore must meet the following requirements: The name must be unique within the same project. It can contain only lowercase letters, digits, hyphens (-), and underscores (_). It must start and end with a lowercase letter or a digit. It must be 3 to 63 characters in length.	flowlog-logstore
Interval	integer	No	The aggregation interval for the flow log. Unit: seconds. Valid values: 60 and 600. Default value: 600.	600
TransitRouterAttachmentId	string	No	The ID of the VPC connection, VPN connection, VBR connection, ECR connection, or inter-region connection. If you want to configure a flow log for a transit router instance, do not specify this parameter.	tr-attach-r6g0m3epjehw57****
TransitRouterId	string	No	The ID of the transit router instance.	tr-bp1rmwxnk221e3fas****
LogFormatString	string	No	A custom string of log fields for the flow log. The format is defined as: `${field 1}${field 2}${field 3}...${field n}` If you do not specify this parameter, all default fields are logged. If you specify this parameter, you must start the string with `${srcaddr}${dstaddr}${bytes}` because these are required parameters. For more information about all supported log fields, see Configure a flow log.	${srcaddr}${dstaddr}${bytes}
Tag	array<object>	No	The tag. You can add up to 20 tags in each call.
	object	No	The tag. You can add up to 20 tags in each call.
Key	string	No	The tag key. The tag key cannot be an empty string. The tag key can be up to 64 characters in length and cannot start with `aliyun` or `acs:`. It cannot contain `http://` or `https://` . You can specify up to 20 tag keys.	TagKey
Value	string	No	The tag value. The tag value can be an empty string or a string of up to 128 characters. It cannot start with `aliyun` or `acs:` and cannot contain `http://` or `https://` . Each tag key must have a unique tag value. You can specify up to 20 tag values.	TagValue

Response elements

Element	Type	Description	Example
	object	The response.
RequestId	string	The request ID.	54B48E3D-DF70-471B-AA93-08E683A1B457
Success	string	Indicates whether the call is successful. true: The call is successful. false: The call failed.	true
FlowLogId	string	The flow log ID.	flowlog-m5evbtbpt****

Examples

Success response

JSON format

{
  "RequestId": "54B48E3D-DF70-471B-AA93-08E683A1B457",
  "Success": "true",
  "FlowLogId": "flowlog-m5evbtbpt****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ProjectOrLogstoreNotExist	The specified project or logstore does not exist.	The error message returned because the specified project or Logstore does not exist.
400	SourceProjectNotExist	The Source Project or logstore does not exist.	The error message returned because the specified source project or Logstore does not exist.
400	OperationUnsupported.action	This action is not support.	The error message returned because this operation is not supported in the specified region.
400	RuleExist	The rule has already existed.	The rule already exists.
400	QuotaExceeded.FlowlogCount	This user has reached the maximum instance number of flowlog.	The error message returned because the number of flow logs has reached the upper limit.
400	InvalidFlowlogId.exist	This cenId already has flowlog instance existed.	The error message returned because the specified CEN instance is already associated with a flow log.
400	Flowlog.AlreayExist	This attachment already has existed flowlog instance.	The error message returned because the specified flow log already exists. You cannot create duplicate flow logs.
400	IllegalParam.TransitRouterAttachmentId	TransitRouterAttachmentId is illegal.	The error message returned because the specified transit router is invalid.
400	InvalidTransitRouterAttachmentId.NotFound	The TransitRouterAttachmentId is not found.	The error message returned because the specified transit router attachment ID (TransitRouterAttachmentId) does not exist.
400	IncorrectStatus.flowlog	This action is not allowed in the current flow log status.	This action is not allowed in the current flow log status.
400	InvalidOperation.TransitRouterNotExist	Operation is invalid because the transit router not exist.	The error message returned because the specified transit router does not exist.
400	IncorrectStatus.TransitRouterAttachmentId	The resource is not in a valid state for the attachment operation.	The error message returned because the operation is not supported when the specified attachment is in an unstable state
400	ProjectExist	Project already exist, please try a different project name.	The log Project already exists, try a different Project name.
400	InvalidParameter.ProjectName	Project name is invalid or does not belong to specified region.	The Project name is illegal or does not belong to the specified region.
400	IncorrectStatus.TrFlowlog	Flowlog status for specified TransitRouter is invalid for this operation.	Flowlog status for specified TransitRouter is invalid for this operation.
400	OperationInvalid.IncompatibleFlowlogExist	Operation is invalid because incompatible flowlog config exists.	There are incompatible Flowlog configurations, please delete and try again.
400	InvalidParameter.LogFormatString	LogFormatString is invalid.	The specified log format is invalid.
400	InvalidParameter.LogStoreName	Specified LogStore name is invalid.	Logstore name is invalid.
400	OperationFailed.InvalidLogInfo	The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated.	The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated.
400	IncorrectStatus.TransitRouterInstance	The status of TransitRouter is incorrect.	The error message returned because the transit router is in an invalid state.
400	InvalidParameter	Invalid parameter.	The error message returned because the parameter is set to an invalid value.
400	Unauthorized	The AccessKeyId is unauthorized.	The error message returned because you do not have the permissions to perform this operation.
400	InvalidParameter.CenId	The specified parameter CenId is invalid.
403	NoPermission.AliyunServiceRoleForTRFlowLog	You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog.	You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.