The vpc-flowlogs-elasticsearch command line tool ("the tool"), lets you read your VPC Flow Logs from a Cloud Object Storage (COS) Bucket and index them to an Elasticsearch cluster running in the IBM Cloud. The tool also includes a basic search/results capability.
This repository assumes that you have an existing VPC that is configured with a Flow Logs collector(1) to write to a COS bucket(2). The tool requires:
- a second bucket(4) to be created within the same COS instance to store all flow logs that have previously been indexed,
- a Database for Elasticsearch instance(3) to exist (can be any IBM Cloud region).
When executed the tool will:
- read(5) all flow logs objects from the flow logs bucket(2),
- index to Elasticsearch(7.x),
- delete the indexed objects from the flow logs bucket(2) and write them to the indexed flow logs bucket(7),
- once indexed in Elasticsearch the tool can be used to query Elasticsearch or another tool such as Postman can also be used(8).
You must have a Pay-as-You-Go account in IBM Cloud™ to follow the steps in this repository to create resources. Since the costs for these resources will vary, use the Cost Estimator to generate a cost estimate based on your projected usage.
In addition to having an existing VPC in IBM Cloud and configured VPC Flow Logs, this project requires the provisioning of an instance of Databases for Elasticsearch. Make sure to delete services when they are no longer required in order to not incur charges in your account.
- Account with IBM Cloud
- Existing VPC
- VPC Flow Logs already configured to write to a COS Bucket
- IBM Cloud Databases for Elasticsearch version 7.9
- The Elasticsearch client is specific to version 7.x
Note: Previous version supporting Elasticsearch 6.x is available under the
es_6branch of this repository.
- Install the following tools as needed:
- IBM Cloud CLI (If you prefer the command line over using the web console)
- Go version 1.15.x (If you choose to build the tool from source)
- Docker (If you choose to build the tool from source but don't want to install GO)
You can install the binary from source here
- Clone this repository to your local computer.
git clone git@github.com:dprosper/vpc-flowlogs-elasticsearch.git- Build from your local machine
go buildBuild using Docker for target OS:
Mac OS
docker run --rm -v "$PWD":/usr/src/vpc-flowlogs-elasticsearch -w /usr/src/vpc-flowlogs-elasticsearch -e GOOS=darwin -e GOARCH=amd64 golang:latest go build -v -o build/vpc-flowlogs-elasticsearchLinux
docker run --rm -v "$PWD":/usr/src/vpc-flowlogs-elasticsearch -w /usr/src/vpc-flowlogs-elasticsearch -e GOOS=linux -e GOARCH=amd64 golang:latest go build -v -o build/vpc-flowlogs-elasticsearchWindows
docker run --rm -v "$PWD":/usr/src/vpc-flowlogs-elasticsearch -w /usr/src/vpc-flowlogs-elasticsearch -e GOOS=windows -e GOARCH=amd64 golang:latest go build -v -o build/vpc-flowlogs-elasticsearchCreate the Elasticsearch cluster.
-
Use the IBM Cloud Console to create a new instance of Databases for Elasticsearch instance.
-
Create Service Credentials which will be required to update the
flowlogs.jsonfile.
-
Create an instance of Databases for Elasticsearch instance using a standard plan. Replace <region_name> accordingly.
ibmcloud resource service-instance-create flowlogs-es databases-for-elasticsearch databases-for-elasticsearch-standard <region_name>
The service will take a few minutes to provision. You can get updates on the status by issuing the following command periodically
ibmcloud resource service-instance flowlogs-es
-
Once you have verified the service status changed to "create succeeded", you may proceed to create a service key:
ibmcloud resource service-key-create flowlogs-es-key --instance-name flowlogs-es
-
Obtain the service key details in JSON format and use the information provided to populate the relevant values for
elasticsearchin the flowlogs.json.ibmcloud resource service-key flowlogs-es-key --output json
The tool will index all logs found in the COS bucket that is used for your VPC Flow Logs, as each log is indexed it is deleted and moved to another bucket, you need to provide a destination bucket for all the Flow Logs that have already been indexed. It needs to exist in the same instance as the bucket used by the Flow Logs you intend on indexing.
- Copy the
config/flowlogs.jsonto your the$HOMEdirectory of the current user. - Edit the
~./flowlogs.jsonfile and replace all instances of<provide_value>with the relevant values for COS and Elasticsearch captured above.
You can place the
flowlogs.jsonfile in any directory of your choice and pass the--configflag with the location of the file to any of the commands below.
It is also possible to set environment variables instead of using the
flowlogs.jsonconfig file. Environment variables will match the name of the attributes in the json with_replacing the., i.e.cos.serviceEndpoint-->COS_SERVICEENDPOINT
-
Index your existing flow logs by issuing the following command:
./vpc-flowlogs-elasticsearch index
Add a
--traceif you want to see the POST and response body from each index request to Elasticsearch. -
The tool indexes 25 flow logs at a time. The indexing process may take a while based on the number of flow logs in the COS bucket. You can view the status of the indexing process by viewing the
system.logunder thelogsdirectory. Errors are in theerror.log.
- The
config/queries.jsonfile contains a few example queries:
- "top_25_target_ips",
- "top_10_initiator_ips",
- "total_direction_by_outbound_inbound",
- "output_ommitted_es_response_body_used",
- "14_days_top_5_rejected_by_target_ip",
- "14_days_top_10_rejected_by_initiator_ip".
The output is a JSON array.
./vpc-flowlogs-elasticsearch search --query 14_days_top_5_rejected_by_target_ipAdd a
--traceif you want to see the POST and response body from each index request to Elasticsearch.
Using Postman or similar client
- Review the
config/sample_queries.mdfor example Elasticsearch endpoints and queries.
Please open issues here: New Issue
- Use IBM Log Analysis with LogDNA to Analyze VPC Network Traffic from IBM Cloud Flow Logs for VPC
- vpc-flowlogs-logdna repository
See License for license information.