All Products
Search

This Product

    Simple Log Service:VPC

    Document Center

    Simple Log Service:VPC

    Last Updated:Dec 11, 2025

    This topic describes the fields in VPC flow logs.

    Field

    Description

    __topic__

    The topic of the log. The value is fixed as flow_log.

    version

    The version of the flow log. The version of all current flow log entries is 1.

    vswitch-id

    The ID of the vSwitch to which the elastic network interface (ENI) is attached.

    vm-id

    The ID of the ECS instance to which the ENI is attached.

    vpc-id

    The ID of the VPC to which the ENI belongs.

    account-id

    The Alibaba Cloud account ID.

    eni-id

    The ID of the ENI.

    region

    The region where the VPC resides.

    srcaddr

    The source IP address.

    srcport

    The source port.

    dstaddr

    The destination IP address.

    dstport

    The destination port.

    protocol

    The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. Common protocol numbers include 1 for ICMP, 6 for TCP, and 17 for UDP.

    direction

    The direction of the traffic:

    • in: Inbound traffic to the ENI.

    • out: Outbound traffic from the ENI.

    packets

    The number of packets.

    bytes

    The number of bytes.

    start

    The time when the first packet was received in the capture window. The value is a Unix timestamp.

    end

    For a persistent connection, this is the end time of the capture window. For a short-lived connection, this is the time when the connection was closed. The value is a Unix timestamp.

    log-status

    The logging status of the flow log:

    • OK: Data is recorded normally.

    • NODATA: No network traffic is sent to or from the network interface during the capture window. This status is common for standby systems, during off-peak hours, or when configuration issues cause a lack of traffic.

    • SKIPDATA: Some flow log records are skipped during the capture window. This is common in high-traffic environments or during traffic bursts that overload internal systems, which prevents traffic from being captured and results in skipped records.

    action

    Indicates whether the traffic was permitted or denied by a security group or network ACL:

    • ACCEPT: The traffic was permitted by the security group.

    • REJECT: The traffic was denied by the security group.

    tcp-flags

    The TCP flag, represented in decimal, which reflects a combination of flags from the TCP protocol, such as SYN, ACK, and FIN.

    A single flow log entry in a capture window can correspond to multiple TCP packets. This value is the result of a bitwise OR operation on the flag fields of all relevant packets.

    For example, if a TCP session has two packets in a capture window with SYN (2) and SYN-ACK (18) flags, the TCP flag field recorded in the log is 18 (2 | 18 = 18).

    The decimal values for some TCP flags:

    • FIN: 1

    • SYN: 2

    • RST: 4

    • PSH: 8

    • SYN-ACK: 18

    • URG: 32

    For general information about TCP flags, such as the meaning of SYN, FIN, ACK, and RST, see RFC: 793.

    traffic_path

    The scenario where the traffic occurs:

    • 0 - Traffic captured in scenarios other than those listed below.

    • 1 - Traffic through other resources in the same VPC.

    • 2 - Private traffic to an ECS instance in the same VPC.

    • 3 - Traffic through an ENI.

    • 4 - Traffic through a high-availability virtual IP (HaVip) address.

    • 5 - Traffic to an Alibaba Cloud service in the same region.

    • 6 - Traffic to an Alibaba Cloud service through a gateway endpoint.

    • 7 - Traffic through a NAT gateway.

    • 8 - Traffic through a Transit Router (TR).

    • 9 - Traffic through a VPN gateway.

    • 10 - Traffic to a leased line through a Virtual Border Router (VBR).

    • 11 - Traffic to a VPC in the same region through a Basic Edition Cloud Enterprise Network (CEN) instance.

    • 12 - Traffic through a Basic Edition CEN instance in scenarios other than 11, 18, 19, and 20, such as traffic to a cross-region Alibaba Cloud service or a Cloud Connect Network (CCN) instance.

    • 13 - Traffic to the internet through an IPv4 gateway.

    • 14 - Traffic to the internet through an IPv6 gateway.

    • 15 - Traffic to the internet through a public IP address.

    • 17 - Traffic through a VPC peering connection.

    • 18 - Traffic to a cross-region VPC through a Basic Edition CEN instance.

    • 19 - Traffic to a VBR in the same region through a Basic Edition CEN instance.

    • 20 - Traffic to a cross-region VBR through a Basic Edition CEN instance.

    • 21 - Traffic through an Express Connect Router (ECR).

    • 22 - Traffic through a Gateway Load Balancer (GWLB) endpoint.

    srctype

    The CIDR block information of the source IP address after enabling the inter-domain analysis feature.

    Note

    This field is included only if you enable the inter-domain analysis feature.

    dsttype

    The CIDR block information of the destination IP address after enabling the inter-domain analysis feature.

    Note

    This field is included only if you enable the inter-domain analysis feature.