Add a VPC Flow Logs input for the Splunk App for AWS
Create a VPC Flow Logs input to capture IP traffic flow data for the network interfaces in your resources.
You can only configure one VPC Flow Logs input per AWS Account Access Key ID, which you select by its corresponding friendly name. You can configure multiple VPC Flow Logs inputs for the same AWS environment, provided each one is created with a different account friendly name.
Splunk recommends splitting your VPC Flow Logs data into separate inputs when the combined data volume in your log groups exceeds 4K events per second.
Prerequisites
Before you can successfully configure a VPC Flow Logs input, you need to:
1. Enable VPC flow logging for your VPCs in all the regions that you want to track data in the Splunk App for AWS. If you have not already done this, see "Configure your AWS services for the Splunk App for AWS" in this manual.
2. Make sure that the account friendly name you use to configure this input corresponds to an AWS Account Access Key ID that has the necessary permissions to gather this data. If you have not already done this, see "Configure your AWS permissions for the Splunk App for AWS" in this manual.
Add a new VPC Flow Logs input
1. In the app, click Configure in the app navigation bar.
2. Under Data Sources, in the VPC Flow Logs box, click Set up.
3. Select the friendly name of the AWS Account that you want to use to collect VPC Flow Logs data. If you have not yet configured the account you need, click Add New Account to configure one now.
4. Under VPC Log Groups, select a Region for which you have enabled VPC Flow Logging.
5. Click Select a log group to view the log group names for the region you have selected. If you do not see any, verify that you have completed all steps in the prerequisites.
6. Select the log group names that you want to gather data from.
7. Click the + button to add another log group. You can gather data from multiple log groups within a single region or from different regions.
8. Repeat steps 4 - 6 until you have configured log group names for all the regions where you have VPC Flow Logging enabled in AWS.
9. Click Add to save and enable this data input.
When you create the data input, the Splunk App for AWS immediately begins collecting your VPC Flow Log data, including all historical data, and checks for updates every ten minutes. The app imposes a 30 minute delay for new event collection, to allow time for AWS to process and log events, which have a timestamp reflecting their actual event time, but may not make it into the logs until some minutes later.
Edit or delete a VPC Flow Logs input
You can view, edit, or delete your existing VPC Flow Log inputs from the VPC Flow Log Inputs screen.
1. In the app, click Configure in the app navigation bar.
2. Under Data Sources, in the VPC Flow Log box, click the link that tells you how many inputs you currently have configured for VPC Flow Logs.
3. The VPC Flow Log Inputs screen displays a list of VPC Flow Log inputs, organized by the account friendly name used to create the input.
4. From here, you can click the account names to open the individual inputs to edit them, or you can delete an input by clicking the trash can icon.
Note: If you delete an input and then add a new one for the same log group, the app collects all your historical data again.
Add a CloudWatch input for the Splunk App for AWS | Add a Billing input for the Splunk App for AWS |
This documentation applies to the following versions of Splunk® App for AWS (Legacy): 4.0.0
Feedback submitted, thanks!