All Products
Search
Document Center

Cloud Enterprise Network:CreateFlowlog

Last Updated:Oct 22, 2024

Creates a flow log.

Operation description

Flow logs are used to capture the information about network traffic between transit routers and between virtual border routers (VBRs). Before you create a flow log, take note of the following items:

  • Flow logs are supported only by Enterprise Edition transit routers.

  • Only flow logs in some regions can capture the information about network traffic over VBR connections. For more information, see Limits .

  • Flow logs are used to capture the information about outbound traffic on transit routers. Information about inbound traffic on transit routers is not captured.

    For example, an Elastic Compute Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through CEN. After you enable the flow log feature for the transit router in the US (Virginia) region, you can check the log entries about packets sent from the ECS instance in the US (Virginia) region to the ECS instance in the US (Silicon Valley) region. However, packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region are not recorded. If you want to record the packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region, you must also enable the flow log feature on the transit router that is in the US (Silicon Valley) region.

  • CreateFlowLog is an asynchronous operation. After you send a request, the system returns a flow log ID and runs the task in the background. You can call the DescribeFlowLogs operation to query the status of a flow log.

    • If a flow log is in the Creating state, the flow log is being created. In this case, you can query the flow log but cannot perform other operations.
    • If a flow log is in the Active state, the flow log is created.

Prerequisites

An inter-region connection or a VBR connection is created. For more information, see CreateTransitRouterPeerAttachment or CreateTransitRouterVbrAttachment .

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
cen:CreateFlowlogcreate
  • All Resources
    *
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the value, but you must make sure that it is unique among all requests. The token can contain only ASCII characters.

Note If you do not set this parameter, ClientToken is set to the value of RequestId. The value of RequestId for each API request may be different.
123e4567-e89b-12d3-a456-42665544****
RegionIdstringYes

The ID of the region where the flow log is deployed.

You can call the DescribeChildInstanceRegions operation to query the most recent region list.

cn-hangzhou
FlowLogNamestringNo

The name of the flow log.

The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter but cannot start with http:// or https://.

myFlowlog
DescriptionstringNo

The description of the flow log.

The description must be 2 to 256 characters in length. It must start with a letter but cannot start with http:// or https://.

myFlowlog
CenIdstringYes

The ID of the CEN instance.

cen-7qthudw0ll6jmc****
ProjectNamestringYes

The Log Service project where the flow log is stored.

  • If a project is already created in the selected region, enter the name of the project.

  • If no projects are created in the selected region, enter a name and the system automatically creates a project.

    The project name must be unique in a region. You cannot change the name after you create the project. The naming conventions are:

    • The name must be globally unique.
    • The name can contain only lowercase letters, digits, and hyphens (-).
    • The name must start and end with a lowercase letter or a digit.
    • The name must be 3 to 63 characters in length.
FlowLogProject
LogStoreNamestringYes

The Logstore where the flow log is stored.

  • If a Logstore is already created in the selected region, enter the name of the Logstore.

  • If no Logstores are created in the selected region, enter a name and the system automatically creates a Logstore. The name of the Logstore. The name must meet the following requirements:

    • The name must be unique in a project.
    • The name can contain only lowercase letters, digits, hyphens (-), and underscores (_).
    • The name must start and end with a lowercase letter or a digit.
    • The name must be 3 to 63 characters in length.
FlowLogStore
IntervallongNo

The time window for collecting log data. Unit: seconds. Valid values: 60 and 600. Default value: 600.

600
TransitRouterAttachmentIdstringNo

The ID of the inter-region connection or the VBR connection.

Note This parameter is required.
tr-attach-r6g0m3epjehw57****
Tagarray<object>No

The information about the tags.

You can specify at most 20 tags in each call.

objectNo
KeystringNo

The tag key.

The tag key cannot be an empty string. The tag key can be up to 64 characters in length and cannot start with acs: or aliyun. It cannot contain http:// or https://.

You can specify at most 20 tag keys.

TagKey
ValuestringNo

The tag value.

The tag value can be 0 to 128 characters in length, and cannot start with aliyun or acs:. It cannot contain http:// or https://.

Each tag key must have a unique tag value. You can specify at most 20 tag values in each call.

TagValue

Response parameters

ParameterTypeDescriptionExample
object

The response.

RequestIdstring

The ID of the request.

54B48E3D-DF70-471B-AA93-08E683A1B457
Successstring

Indicates whether the call is successful. Valid values:

  • true: yes
  • false: no
true
FlowLogIdstring

The ID of the flow log.

flowlog-m5evbtbpt****

Examples

Sample success responses

JSONformat

{
  "RequestId": "54B48E3D-DF70-471B-AA93-08E683A1B457",
  "Success": "true",
  "FlowLogId": "flowlog-m5evbtbpt****"
}

Error codes

HTTP status codeError codeError messageDescription
400ProjectOrLogstoreNotExistThe specified project or logstore does not exist.The error message returned because the specified project or Logstore does not exist.
400SourceProjectNotExistThe Source Project or logstore does not exist.The error message returned because the specified source project or Logstore does not exist.
400OperationUnsupported.actionThis action is not support.The error message returned because this operation is not supported in the specified region.
400RuleExistThe rule has already existed.The rule already exists.
400QuotaExceeded.FlowlogCountThis user has reached the maximum instance number of flowlog.The error message returned because the number of flow logs has reached the upper limit.
400InvalidFlowlogId.existThis cenId already has flowlog instance existed.The error message returned because the specified CEN instance is already associated with a flow log.
400Flowlog.AlreayExistThis attachment already has existed flowlog instance.The error message returned because the specified flow log already exists. You cannot create duplicate flow logs.
400IllegalParam.TransitRouterAttachmentIdTransitRouterAttachmentId is illegal.The error message returned because the specified transit router is invalid.
400InvalidTransitRouterAttachmentId.NotFoundThe TransitRouterAttachmentId is not found.The error message returned because the specified transit router attachment ID (TransitRouterAttachmentId) does not exist.
400IncorrectStatus.flowlogThis action is not allowed in the current flow log status.This action is not allowed in the current flow log status.
400InvalidOperation.TransitRouterNotExistOperation is invalid because the transit router not exist.The error message returned because the specified transit router does not exist.
400IncorrectStatus.TransitRouterAttachmentIdThe resource is not in a valid state for the attachment operation.The error message returned because the operation is not supported when the specified attachment is in an unstable state
400ProjectExistProject already exist, please try a different project name.The log Project already exists, try a different Project name.
400InvalidParameter.ProjectNameProject name is invalid or does not belong to specified region.The Project name is illegal or does not belong to the specified region.
400IncorrectStatus.TrFlowlogFlowlog status for specified TransitRouter is invalid for this operation.Flowlog status for specified TransitRouter is invalid for this operation.
400OperationInvalid.IncompatibleFlowlogExistOperation is invalid because incompatible flowlog config exists.There are incompatible Flowlog configurations, please delete and try again.
400InvalidParameter.LogFormatStringLogFormatString is invalid.The specified log format is invalid.
400InvalidParameter.LogStoreNameSpecified LogStore name is invalid.Logstore name is invalid.
400InvalidParameter.ProjectNameProjectName is invalid.Project name is invalid.
400OperationFailed.InvalidLogInfoThe entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated.The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated.
400InvalidParameterInvalid parameter.The error message returned because the parameter is set to an invalid value.
400UnauthorizedThe AccessKeyId is unauthorized.The error message returned because you do not have the permissions to perform this operation.
403NoPermission.AliyunServiceRoleForTRFlowLogYou are not authorized to create service linked role AliyunServiceRoleForTRFlowLog.You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-07-02The Error code has changedView Change Details
2024-05-22The Error code has changedView Change Details
2023-01-03The Error code has changedView Change Details