Monday, December 30, 2019

Working with ENI Flowlogs

Working with ENI Flowlogs

Setting up Flowlogs

  1. Go to your network interface and create flow log (per this instruction)
  2. It'll take about 5 min before you see anything in your Log Stream
  3. Each entry will be in this format
    • Protocols:
      • 1: ICMP (source and dest ports will be 0)
      • 6: TCP
      • 17: UDP
    •  Start/End are in UNIX Seconds

Basic search (from Cloudwatch Logs)

  • Find all source IP of 10.0.0.1
    [a,b,c,d=10.0.0.1,e,f,g,h,i,j,k,l]
  • Find all source IP of 10.0.0.1 destined to port 8443
    [a,b,c,d=10.0.0.1,e,f,port=8443,h,i,j,k,l]
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS WAF log4j query

How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...

  • AWS WAF log4j query
    How to query AWS WAF log for log4j attacks 1. Setup your Athena table using this instruction https://docs.aws.amazon.com/athena/latest/ug/wa...
  • Terraform Errors
    Terraform Notes Terraform Errors The given key does not identify an element in this collection value. Error: Invalid index on main...
  • AWS Custom Config Rule from Org
    Deploy AWS Config Rule from Org If you have AWS Org configured, you can deploy Config Rule from a single location out to all the accounts...