🕳️
The Cyber Security Library
  • The Library
  • Offensive Security
    • Solar, Exploiting log4j
      • Reconnaissance
      • Discovery
      • Proof of Concept
      • Exploitation
    • Basic Authentication Bypass
      • Username Enumeration
      • Brute Force
      • Logic Flaw
      • Cookie Tampering
    • Insekube
      • Recon with Nmap
      • Checking out the web address
      • Creating a Reverse shell
      • Inside the Kubernetes pod
      • CVE-2021-43798
    • Snort
      • What is Snort? (For the uninitiated)
      • Task exercise
      • Traffic Generator
      • Brief overview of IDS and IPS
      • Checking Snort
      • Snort Sniffer mode
      • Packet Logger mode
    • Runtime Detection Evasion
      • Learning Objectives of AMSI
      • Runtime detections
      • AMSI Overview
      • AMSI Instrumentation
      • Powershell Downgrade
      • Powershell Reflection
      • Patching AMSI
    • Red team recon using OSINT
      • Taxonomy of Reconnaissance
      • Built-in tools
      • Advanced Searching
      • Specialized Search Engines
  • Malware
    • Introduction to Malware Analysis
      • What are the different types of malware analysis
      • Doing different types of analysis
      • Anti analysis techniques
    • Ransomeware: Maze
    • Exploring Steganography
    • Simple Trojan with Python
      • The Python Trojan
      • Breaking down the python code
  • Vulnerability Management
    • Nessus
      • Introduction
      • Nessus Essentials
      • Scans
      • Authenticated Scans
      • Results
      • Running custom scans
  • Cloud
    • AWS
      • AWS CDK: Deploy and using amazon SQS Que from Repo
        • Node modules and Bootstrapping troubleshooting
        • Sending and Receiving information from the stack
        • Destroying the stack and cleaning up
      • Using Different AWS Services with Splunk
        • AWS Config
          • How Does Config work?
          • How to enable Config
          • Settings
          • Aggregation
          • Creating Config Resource
          • Creating Aggregator
          • Adding Rules
        • CloudTrail
          • What is CloudTrail?
          • Features of CloudTrail
          • Benefits of CloudTrail
          • CloudTrail Event History
          • Securing CloudTrail
        • EventBridge
          • Configuring EventBridge and Event Patterns
          • EventBridge Targets
        • CloudWatch
          • The CloudWatch Dashboard
            • Virtual Machine
          • CloudWatch Alarms and Metric Filters
            • Searching logs using metric filters
            • CloudWatch Alarms
          • CloudWatch CIS Alarms
            • SNS
        • Configuring VPC Flow Logs
          • An introduction to VPC flow logs
        • Automating Incident Response with EventBridge
          • Creating Lambda functions
        • CloudTrail SIEM Integration (Splunk)
          • AWS architecture for integrating with Splunk
      • AWS DevOps EBS Volumes
        • CloudWatch
        • EBS Volume
        • Lambda
      • EKS Creating a deployment with AWS in the command Line
        • Setting up AWS Cloud9
        • Creating a Cluster
        • Creating Deployment
      • How to CloudShell SSH in to ec2 Instances
    • Azure
      • Worker CTF (Azure DevOps)
        • Enumeration
        • Using SVN
        • Exploring the Domain
        • Cracking Azure DevOps console
      • Software development environments and Azure DevOps pipeline abuse
        • Accessing Azure Devops
        • Exploring Project Pages
  • Splunk
    • Splunk SIEM Integration
      • AWS architecture for integrating with Splunk
    • Splunk Threat Hunting Ep.6 Credential Access
  • DevOps
    • Using AWS, Docker, Jenkins and SonarQube to improve code quality
      • Updating the Cloud Instance and Getting Docker
      • Installing SonarQube
      • Creating Jenkins Server
      • Manaing SonarQube and Jenkins
    • Creating a Codebuild project and getting the output with CloudWatch Logs
      • IAM
      • CodeBuild
  • CTF's
    • THM Wonderland
      • Nmap and Gobuster
      • Entering Wonderland
      • Privilege Escalation
    • Healthcare OpenEMR system -THM Plotted EMR
      • Recon with Nmap
      • Exploring the ports found
      • Gobuster
      • Searchsploit Open emr
    • Steam Cloud CTF Exploiting Kubernetes
      • SteamCloud Privilege Escalation
    • THM Flatline CTF
      • Recon with Nmap
      • Searchsploit for freeswitch
      • Using the exploit
      • Escalating my privileges
      • Gaining access inside the Windows RDP
    • Biteme CTF
      • Recon
      • Looking into the PHP code and decoding hexadecimal
      • Python script and Bash script
      • Bruteforcing MFA Code
      • Trying to gain access via SSH
      • Inside SSH
      • Fail2ban Privilege Escalation
    • Devoops CTF
      • Enumeration
      • Exploiting Web Page
      • Creating Python exploit
    • GoBox CTF
      • Enumeration
      • Using Burpsuite and creating Reverse shell
    • Explore: Android Box
      • Enumeration
      • Initial foothold
      • Privilege escalation
Powered by GitBook
On this page
  1. Cloud
  2. AWS
  3. Using Different AWS Services with Splunk
  4. Configuring VPC Flow Logs

An introduction to VPC flow logs

PreviousConfiguring VPC Flow LogsNextAutomating Incident Response with EventBridge

Last updated 1 year ago

Flow logging is a free AWS VPC feature that can capture and log traffic transiting through your AWS estate’s network interfaces. Flow logs capture all traffic by default, but can be configured to only capture accepted or rejected traffic. Similar traffic (e.g., multiple packets from the same source to the same destination) across an interface is aggregated over an interval and combined into a flow log record, as seen below. You’ll learn how to interpret these records later in the lab.

Each log entry or record contains information such as the account ID and interface ID of the NI in question, the source of traffic (the IP address and port), and the destination. Records also show how many packets and bytes were sent during the aggregation interval and the IANA protocol number of the traffic. You can view more information on all available fields – version two fields are included in each record by default, and fields from version three or higher must be added with a custom log record format.

Flow log records can be stored in CloudWatch log groups or S3 buckets and retained for auditing and investigation purposes. Integration with CloudWatch logs means that the CloudWatch Alarms feature can be used with flow logs, enabling monitoring and alerting on network traffic through your network interfaces.

Creating flow logs

There's no console section dedicated to flow logs, so they must be created and viewed within the resources they're attached to. In the VPC console, you can select a VPC or a subnet (or multiple) and select Create flow log from the Actions dropdown. An example of this can be seen in the screenshot below. Similarly, in the Network interfaces section of the EC2 console, you can select one or more interfaces to create a flow log on, again using the Actions dropdown.

It’s worth noting that if you've opted to create a flow log for multiple resources, AWS creates one flow log for each selected resource, with matching configurations as prescribed by the user during creation.

Create a CloudWatch log group called eu-west-1b-logs. Leave all settings as default.

Now, Create a flow log called eu-west-1b-all-traffic for the default subnet in the eu-west-1b availability zone. It should capture all traffic, on a maximum aggregation interval of one minute, and send traffic to your eu-west-1b-logs CloudWatch log group. Use the existing metrolio-flow-logs-4df7f3c3 IAM role and leave everything else as default.

Next, Create a flow log called web-traffic, capturing only accepted traffic for both of the existing EC2 network interfaces in eu-west-1. The aggregation interval should be ten minutes and logs should be pushed to the web folder of your S3 bucket. Leave everything else as default. Note: The bucket ARN is arn:aws:s3:::metrolio-eu-ff578811.

here