Skip to content

Configure VPC Flow Logs inputs for the Splunk Add-on for AWS

Complete the steps to configure VPC Flow Log inputs for the Splunk Add-on for Amazon Web Services (AWS):

  1. You must manage accounts for the add-on as a prerequisite. See Manage accounts for the Splunk Add-on for AWS.
  2. See Configure Kinesis inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via Kinesis Data Stream
  3. See Configure CloudWatch Log inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via Cloudwatch logs
  4. See Configure SQS-based S3 inputs for the Splunk Add-on for AWS if ingesting VPC flow logs via SQS-based S3.

The Splunk Add-on for AWS supports VPC flow logs in the following log formats. Fields must be in one of the following orders to provide field extractions.

For more information on the list of v1-v5 fields to add in the given order when selecting Custom Format, or selecting Custom Format and Select All, see the Available fields section of the Logging IP traffic using VPC Flow Logs topic in the AWS documentation.

Logs will be indexed under the sourcetype: aws:cloudwatchlogs:vpcflow or aws:cloudwatchlogs:vpcflow:metric. For more information, see Source types for the Splunk Add-on for AWS.

Log format Ordered list of fields
Default version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status,
Custom version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action, log-status, vpc-id, subnet-id, instance-id, tcp-flags, type, pkt-srcaddr, pkt-dstaddr, region, az-id, sublocation-type, sublocation-id, pkt-src-aws-service, pkt-dst-aws-service, flow-direction, traffic-path
Select All account-id, action, az-id, bytes, dstaddr, dstport, end, flow-direction, instance-id, interface-id, log-status, packets, pkt-dst-aws-service, pkt-dstaddr, pkt-src-aws-service, pkt-srcaddr, protocol, region, srcaddr, srcport, start, sublocation-id, sublocation-type, subnet-id, tcp-flags, traffic-path, type, version, vpc-id

Update log formatting in AWS VPC

To update the log format in your AWS VPC to ensure successful field extractions, perform the following steps:

  1. Navigate to the AWS VPC dashboard and select Virtual private cloud > Your VPCs.
  2. Add Name, choose Filter, Minimum aggregation interval, Destination and corresponding fields.
  3. For Log record format, select one of the following options:
    • Select Default (Not supported in versions 6.3.0. Supported in versions 6.3.1 and later).
    • Select Custom, and add fields in the order provided in the field table previously listed in this topic.
    • Select Select All.
  4. Delete the previous VPC flow log with the old log formatting. 5.

For more information on updating the log format in AWS VPC, see the Create a flow log section of the Work with flow logs topic in the AWS documentation.