VPC flow log field details - Simple Log Service - Alibaba Cloud Documentation Center

Lists the fields in VPC flow logs.

Field	Description
__topic__	The log topic. Fixed as flow_log.
version	The flow log version. All current entries use version `1`.
vswitch-id	The ID of the vSwitch to which the elastic network interface (ENI) is attached.
vm-id	The ID of the ECS instance to which the ENI is attached.
vpc-id	The ID of the VPC to which the ENI belongs.
account-id	The Alibaba Cloud account ID.
eni-id	The ID of the ENI.
region	The region where the VPC resides.
srcaddr	The source IP address.
srcport	The source port.
dstaddr	The destination IP address.
dstport	The destination port.
protocol	The Internet Assigned Numbers Authority (IANA) protocol number of the traffic. Common protocol numbers include 1 for ICMP, 6 for TCP, and 17 for UDP.
direction	The direction of the traffic: in: Inbound traffic to the ENI. out: Outbound traffic from the ENI.
packets	The number of packets.
bytes	The number of bytes.
start	The time when the first packet was received in the capture window, as a Unix timestamp.
end	The end time of the capture window for persistent connections, or the connection close time for short-lived connections. Value is a Unix timestamp.
log-status	The logging status of the flow log: OK: Data is recorded normally. NODATA: No network traffic was sent to or from the network interface during the capture window. Common for standby systems, off-peak hours, or when configuration issues cause a lack of traffic. SKIPDATA: Some flow log records were skipped during the capture window. Common during traffic bursts or in high-traffic environments that exceed internal capture capacity.
action	Whether the traffic was permitted or denied by a security group or network ACL: ACCEPT: The traffic was permitted by the security group. REJECT: The traffic was denied by the security group.
tcp-flags	The TCP flag in decimal, reflecting a combination of TCP flags such as SYN, ACK, and FIN. A single flow log entry in a capture window can cover multiple TCP packets. The value is the `bitwise OR` of the flag fields across all relevant packets. For example, if a TCP session has two packets in a capture window with SYN (2) and SYN-ACK (18) flags, the TCP flag field recorded in the log is 18 (2 \| 18 = 18). The decimal values for some TCP flags: FIN: 1 SYN: 2 RST: 4 PSH: 8 SYN-ACK: 18 URG: 32 For more information about TCP flags such as SYN, FIN, ACK, and RST, see RFC: 793.
traffic_path	The traffic path scenario: 0 - Traffic captured in scenarios other than those listed below. 1 - Traffic through other resources in the same VPC. 2 - Private traffic to an ECS instance in the same VPC. 3 - Traffic through an ENI. 4 - Traffic through a high-availability virtual IP (HaVip) address. 5 - Traffic to an Alibaba Cloud service in the same region. 6 - Traffic to an Alibaba Cloud service through a gateway endpoint. 7 - Traffic through a NAT gateway. 8 - Traffic through a Transit Router (TR). 9 - Traffic through a VPN gateway. 10 - Traffic to a leased line through a Virtual Border Router (VBR). 11 - Traffic to a VPC in the same region through a Basic Edition Cloud Enterprise Network (CEN) instance. 12 - Traffic through a Basic Edition CEN instance in scenarios other than 11, 18, 19, and 20, such as traffic to a cross-region Alibaba Cloud service or a Cloud Connect Network (CCN) instance. 13 - Traffic to the internet through an IPv4 gateway. 14 - Traffic to the internet through an IPv6 gateway. 15 - Traffic to the internet through a public IP address. 17 - Traffic through a VPC peering connection. 18 - Traffic to a cross-region VPC through a Basic Edition CEN instance. 19 - Traffic to a VBR in the same region through a Basic Edition CEN instance. 20 - Traffic to a cross-region VBR through a Basic Edition CEN instance. 21 - Traffic through an Express Connect Router (ECR). 22 - Traffic through a Gateway Load Balancer (GWLB) endpoint.
srctype	The CIDR block information of the source IP address. Available when the inter-domain analysis feature is enabled. Note This field is included only if you enable the inter-domain analysis feature.
dsttype	The CIDR block information of the destination IP address. Available when the inter-domain analysis feature is enabled. Note This field is included only if you enable the inter-domain analysis feature.