Configure Transit Gateway Flow Logs inputs for the Splunk Add-on for AWS¶
Complete the steps to configure Transit Gateway Flow Log inputs for the Splunk Add-on for Amazon Web Services (AWS):
- You must manage accounts for the add-on as a prerequisite. See Manage accounts manual.
- See SQS-based S3 inputs manual for ingesting Transit gateway flow logs via SQS-based S3.
The Splunk Add-on for AWS supports Transit gateway flow logs in the following log formats. Fields must be in following order to provide field extractions.
The default log record format in text file format of Transit Gateway Flow Logs is supported. For more information regarding the fields, see the Available fields section of the Logging network traffic using Transit Gateway Flow Logs topic in the AWS documentation.
Logs will be indexed under the sourcetype: aws:transitgateway:flowlogs.
For more information, see Source types manual.
| Log format | Ordered list of fields |
|---|---|
| Default | version, resource-type, account-id, tgw-id, tgw-attachment-id, tgw-src-vpc-account-id, tgw-dst-vpc-account-id, tgw-src-vpc-id, tgw-dst-vpc-id, tgw-src-subnet-id, tgw-dst-subnet-id, tgw-src-eni, tgw-dst-eni, tgw-src-az-id, tgw-dst-az-id, tgw-pair-attachment-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, log-status, type, packets-lost-no-route, packets-lost-blackhole, packets-lost-mtu-exceeded, packets-lost-ttl-expired, tcp-flags, region, flow-direction, pkt-src-aws-service, pkt-dst-aws-service |
For more information regarding Transit Gateway Flow Logs, see the Create a flow log section of the Work with Transit Gateway Flow Logs in the AWS documentation.