Concepts
VPC Flow Logs record information about the IP traffic going to and from network interfaces in your VPC. To collect VPC Flow Logs, you need to create a flow log for a VPC, subnet, or network interface.
To enable VPC Flow Logs, use the following steps:
- Navigate to the VPC console.
- Select the VPC, subnet, or network interface.
- Choose “Create flow log” and specify the necessary details, such as the destination log group in CloudWatch Logs or an S3 bucket.
Once enabled, the flow logs capture information such as the source and destination IP addresses, port numbers, protocol, and whether the traffic was accepted or rejected. These logs are useful for network troubleshooting and security analysis.
ELB Access Logs
ELB Access Logs contain detailed information about requests sent to the load balancer. Enabling them helps you understand the nature of the traffic and troubleshoot application issues.
To enable ELB Access Logs:
- Open the Amazon EC2 console.
- Navigate to the Load Balancers section.
- Select the ELB and go to the “Attributes” tab.
- Find “Access logs” and click on “Edit.” Enable the logs and set the S3 destination for the logs.
The logs contain data such as client IP addresses, request paths, server responses, and request processing times.
AWS WAF Web ACL Logs
AWS WAF Web ACL Logs capture the details of incoming web requests that AWS WAF processes. They’re useful for identifying and understanding web attack patterns.
To enable AWS WAF logs:
- Go to the AWS WAF & Shield console.
- Select the corresponding Web ACL.
- Enable logging under the “AWS WAF logs” option. Specify the Amazon Kinesis Data Firehose, which will deliver the logs to an S3 bucket or CloudWatch Logs.
These logs consist of HTTP(S) request details, such as the IP address, URI, headers, and the rule that the request matched.
CloudFront Logs
CloudFront provides two types of logs: access logs (standard logs) and real-time logs. Access logs are useful for in-depth analysis, whereas real-time logs are beneficial for immediate access to data.
To enable standard access logs:
- Navigate to the CloudFront console.
- Choose the distribution and go to the “Distribution Settings.”
- Select the “Logs” tab and update the settings, specifying an S3 bucket for the logs.
CloudFront logs include the requester’s IP address, request URLs, HTTP status codes, and edge location details.
Interpreting Logs
Once you have collected these logs, you need to interpret them to gain insights. AWS provides several tools for this purpose:
- Amazon CloudWatch Logs Insights: For querying and visualizing log data.
- Amazon Athena: For running SQL queries on logs stored in S3.
- Third-party tools: Like Splunk or Sumo Logic, integrated with AWS for log analysis.
For example, with Amazon Athena you could run a query on your VPC Flow Logs to find the volume of rejected traffic over the last 24 hours:
SELECT
interface_id,
srcaddr,
dstaddr,
count(*) as request_count
FROM
“your_flow_logs_database”.”your_flow_logs_table”
WHERE
action=’REJECT’ AND
parse_datetime(timestamp, ‘yyyy-MM-dd”T”HH:mm:ss.SSS’) > date_add(‘day’, -1, now())
GROUP BY
interface_id, srcaddr, dstaddr
ORDER BY
request_count DESC;
Parsing and interpreting logs effectively enable SysOps Administrators to maintain the performance, security, and reliability of AWS environments. There are also AWS certification-specific questions that will test your knowledge on how to enable and interpret the different types of logs provided by AWS. Understanding the format and the kind of data each type of log contains is critical for the AWS Certified SysOps Administrator – Associate exam.
Answer the Questions in Comment Section
True or False: Amazon CloudFront logs can only be delivered to an Amazon S3 bucket in the same AWS region as the CloudFront distribution.
- A) True
- B) False
Answer: B) False
Explanation: Amazon CloudFront logs can be delivered to an Amazon S3 bucket in any AWS region, not just the region where the CloudFront distribution is located.
Which AWS service is primarily used to collect and analyze VPC Flow Logs?
- A) Amazon CloudWatch
- B) AWS Config
- C) Amazon Inspector
- D) AWS CloudTrail
Answer: A) Amazon CloudWatch
Explanation: VPC Flow Logs can be published to Amazon CloudWatch Logs and Amazon S3 for storage and analysis.
True or False: AWS WAF web ACL logs can be stored in Amazon S3 buckets for long-term retention.
- A) True
- B) False
Answer: A) True
Explanation: AWS WAF logs can be sent to Amazon Kinesis Data Firehose and then to Amazon S3 for long-term retention.
When enabling logging for an Elastic Load Balancer, you must specify which of the following?
- A) An existing EC2 instance
- B) An Amazon S3 bucket
- C) An Amazon RDS database
- D) An AWS CloudTrail trail
Answer: B) An Amazon S3 bucket
Explanation: ELB access logs are stored in the Amazon S3 bucket that you specify.
True or False: To enable VPC Flow Logs, the VPC must have at least one running instance.
- A) True
- B) False
Answer: B) False
Explanation: VPC Flow Logs can be enabled for a VPC regardless of whether there are running instances or not.
Which AWS service provides log data specific to incoming and outgoing network traffic within your AWS infrastructure?
- A) AWS CloudTrail
- B) VPC Flow Logs
- C) AWS Config
- D) AWS X-Ray
Answer: B) VPC Flow Logs
Explanation: VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC.
True or False: You can use AWS Athena to query ELB access logs stored in Amazon S
- A) True
- B) False
Answer: A) True
Explanation: AWS Athena allows you to run SQL queries on ELB access logs and other logs stored in Amazon S
AWS WAF web ACL logs include which of the following information? (Select TWO)
- A) Request method (GET, POST, etc.)
- B) User’s secret access key
- C) HTTP response code
- D) Network interface ID
- E) Rule ID within the web ACL that matched the request
Answer: A) Request method (GET, POST, etc.), C) HTTP response code
Explanation: AWS WAF logs contain details about the web request such as the request method, HTTP response code, and the rule ID that matched the request. It does not include sensitive user credentials or network interface IDs.
Which of the following is NOT a valid destination for VPC Flow Logs?
- A) AWS CloudWatch Logs
- B) Amazon S3
- C) Amazon QuickSight
- D) Amazon Kinesis Data Firehose
Answer: C) Amazon QuickSight
Explanation: VPC Flow Logs can be published directly to AWS CloudWatch Logs, Amazon S3, and Amazon Kinesis Data Firehose, but not directly to Amazon QuickSight.
True or False: CloudFront access logs can include data about viewers’ requests such as the IP address, user-agent, and query string.
- A) True
- B) False
Answer: A) True
Explanation: CloudFront access logs capture detailed information about every user request that CloudFront receives, including the viewer’s IP address, user-agent, and query string.
Thanks for the informative blog post!
Highly appreciate the detailed insights on VPC Flow Logs.
While VPC Flow Logs are great, how do you recommend filtering out noise for efficient log analysis?
Great breakdown of ELB access logs. These logs are a lifesaver for debugging issues!
Is there any way to simplify the analysis of CloudFront logs? The raw logs can get pretty overwhelming.
Nice explanation! AWS WAF web ACL logs have been a game changer for us.
For AWS WAF logs, how often should we rotate the logs to avoid storage issues?
This post is super helpful for the AWS Certified SysOps Administrator – Associate exam preparation.