Creates a flow log.
Operation description
Flow logs help you catch traffic information forwarded by transit router instances and network instance connections (inter-region connections, VPC connections, VPN connections, ECR connections, and VBR connections). Before you create a flow log, note the following information:
-
Only Enterprise Edition transit routers support flow log creation.
-
For traffic information of inter-region connections, flow logs catch only outbound traffic of the transit router. Inbound traffic of the transit router is not caught.
For example, an Elastic Computing Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through Cloud Enterprise Network (CEN). After you configure a flow log for the transit router in the US (Virginia) region, you can view the packet information sent from the US (Virginia) ECS instance to the US (Silicon Valley) ECS instance in the Simple Log Service console, but you cannot view the packet information sent from the US (Silicon Valley) ECS instance to the US (Virginia) ECS instance. To view the packet information sent from the US (Silicon Valley) ECS instance to the US (Virginia) ECS instance, configure a flow log on the transit router in the US (Silicon Valley) region.
-
When a flow log catches traffic information of a VPC connection, only traffic forwarded by the transit router elastic network interface (ENI) is caught. To learn about traffic forwarded by other ENIs in the VPC, see VPC flow log overview.
-
The
CreateFlowlogoperation is asynchronous. After you send a request, the system returns a flow log ID, but the flow log has not been created. The creation task is still running in the background. You can invoke theDescribeFlowlogsoperation to query the status of the flow log.If the flow log is in the Creating state, the flow log is being created. In this state, you can only execute query operations.
If the flow log is in the Active state, the flow log is created.
Before you begin
Before you create a flow log for a resource, make sure that the required resources exist. To create the resources, see:
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
cen:CreateFlowlog |
create |
*All Resource
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| ClientToken |
string |
No |
The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The client token can contain only ASCII characters. Note
If you do not specify this parameter, the system automatically uses the RequestId of the API request as the ClientToken. The RequestId may be different for each API request. |
123e4567-e89b-12d3-a456-42665544**** |
| RegionId |
string |
Yes |
The region ID of the flow log. You can call the DescribeChildInstanceRegions operation to query the region ID. |
cn-hangzhou |
| FlowLogName |
string |
No |
The name of the flow log. The name can be empty or 1 to 128 characters in length and cannot start with http:// or https://. |
myFlowlog |
| Description |
string |
No |
The description of the flow log. The description can be empty or 1 to 256 characters in length and cannot start with http:// or https://. |
myFlowlog |
| CenId |
string |
Yes |
The instance ID of the Cloud Enterprise Network (CEN). |
cen-7qthudw0ll6jmc**** |
| ProjectName |
string |
No |
The project that stores the caught traffic.
|
flowlog-project |
| LogStoreName |
string |
No |
The Logstore that stores the caught traffic.
|
flowlog-logstore |
| Interval |
integer |
No |
The capture window duration of the flow log. Unit: seconds. Valid values: 60 and 600. Default value: 600. |
600 |
| TransitRouterAttachmentId |
string |
No |
The ID of the VPC connection, VPN connection, VBR connection, ECR connection, or inter-region connection. Leave this parameter empty if you want to configure a flow log for a transit router instance. |
tr-attach-r6g0m3epjehw57**** |
| TransitRouterId |
string |
No |
The transit routing instance ID. |
tr-bp1rmwxnk221e3fas**** |
| LogFormatString |
string |
No |
The string that defines custom flow log record fields. The format is defined as:
|
${srcaddr}${dstaddr}${bytes} |
| Tag |
array<object> |
No |
The tag information. You can specify up to 20 tags at a time. |
|
|
object |
No |
The tag information. You can specify up to 20 tags at a time. |
||
| Key |
string |
No |
The tag key of the resource. Once specified, the tag key cannot be an empty string. The tag key can be up to 64 characters in length and cannot start with You can specify up to 20 tag keys at a time. |
TagKey |
| Value |
string |
No |
The tag value of the resource. The tag value can be empty or up to 128 characters in length. It cannot start with Each tag key corresponds to one tag value. You can specify up to 20 tag values at a time. |
TagValue |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
The response parameters. |
||
| RequestId |
string |
The request ID. |
54B48E3D-DF70-471B-AA93-08E683A1B457 |
| Success |
string |
Indicates whether the API call is successful.
|
true |
| FlowLogId |
string |
The flow log ID. |
flowlog-m5evbtbpt**** |
Examples
Success response
JSON format
{
"RequestId": "54B48E3D-DF70-471B-AA93-08E683A1B457",
"Success": "true",
"FlowLogId": "flowlog-m5evbtbpt****"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | ProjectOrLogstoreNotExist | The specified project or logstore does not exist. | The error message returned because the specified project or Logstore does not exist. |
| 400 | SourceProjectNotExist | The Source Project or logstore does not exist. | The error message returned because the specified source project or Logstore does not exist. |
| 400 | OperationUnsupported.action | This action is not support. | The error message returned because this operation is not supported in the specified region. |
| 400 | RuleExist | The rule has already existed. | The rule already exists. |
| 400 | QuotaExceeded.FlowlogCount | This user has reached the maximum instance number of flowlog. | The error message returned because the number of flow logs has reached the upper limit. |
| 400 | InvalidFlowlogId.exist | This cenId already has flowlog instance existed. | The error message returned because the specified CEN instance is already associated with a flow log. |
| 400 | Flowlog.AlreayExist | This attachment already has existed flowlog instance. | The error message returned because the specified flow log already exists. You cannot create duplicate flow logs. |
| 400 | IllegalParam.TransitRouterAttachmentId | TransitRouterAttachmentId is illegal. | The error message returned because the specified transit router is invalid. |
| 400 | InvalidTransitRouterAttachmentId.NotFound | The TransitRouterAttachmentId is not found. | The error message returned because the specified transit router attachment ID (TransitRouterAttachmentId) does not exist. |
| 400 | IncorrectStatus.flowlog | This action is not allowed in the current flow log status. | This action is not allowed in the current flow log status. |
| 400 | InvalidOperation.TransitRouterNotExist | Operation is invalid because the transit router not exist. | The error message returned because the specified transit router does not exist. |
| 400 | IncorrectStatus.TransitRouterAttachmentId | The resource is not in a valid state for the attachment operation. | The error message returned because the operation is not supported when the specified attachment is in an unstable state |
| 400 | ProjectExist | Project already exist, please try a different project name. | The log Project already exists, try a different Project name. |
| 400 | InvalidParameter.ProjectName | Project name is invalid or does not belong to specified region. | The Project name is illegal or does not belong to the specified region. |
| 400 | IncorrectStatus.TrFlowlog | Flowlog status for specified TransitRouter is invalid for this operation. | Flowlog status for specified TransitRouter is invalid for this operation. |
| 400 | OperationInvalid.IncompatibleFlowlogExist | Operation is invalid because incompatible flowlog config exists. | There are incompatible Flowlog configurations, please delete and try again. |
| 400 | InvalidParameter.LogFormatString | LogFormatString is invalid. | The specified log format is invalid. |
| 400 | InvalidParameter.LogStoreName | Specified LogStore name is invalid. | Logstore name is invalid. |
| 400 | OperationFailed.InvalidLogInfo | The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated. | The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated. |
| 400 | IncorrectStatus.TransitRouterInstance | The status of TransitRouter is incorrect. | The error message returned because the transit router is in an invalid state. |
| 400 | InvalidParameter | Invalid parameter. | The error message returned because the parameter is set to an invalid value. |
| 400 | Unauthorized | The AccessKeyId is unauthorized. | The error message returned because you do not have the permissions to perform this operation. |
| 400 | InvalidParameter.CenId | The specified parameter CenId is invalid. | |
| 400 | InvalidParameter.TagValue | The specified parameter TagValue is invalid. | The input parameter Tag Value is invalid. |
| 403 | NoPermission.AliyunServiceRoleForTRFlowLog | You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog. | You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.