AWS VPC Flow Logs (Firehose)

Overview

NetObserv Flow supports the collection of AWS VPC Flow Logs directly from Amazon Firehose via an HTTP endpoint. It is compatible with all fields from VPC Flow Log versions 2 through 5.

To integrate with Firehose, it is necessary to create a Firehose stream with an HTTP Endpoint destination. The HTTP endpoint URL must point to a NetObserv server configured with TLS. The endpoint path must be /api/v1/aws/firehose/flow-logs to ensure it targets the correct API endpoint.

Although this is a public endpoint, it is recommended to set an access key for authentication. If an access key is configured, it must be set as an environment variable with the exact value.

EF_AWS_VPC_FLOW_LOG_FIREHOSE_HTTP_ENABLE

This setting is used to enable or disable an HTTP endpoint which can receive data from Amazon Firehose.

• Valid Values
  • true, false
• Default
  • false

EF_AWS_VPC_FLOW_LOG_FIREHOSE_HTTP_ACCESS_KEY

This setting is used to declare the access key used by the configured Firehose stream if one is set. If this does not match the correct value, the API endpoint will error.

• Default
  • ""

EF_AWS_VPC_FLOW_LOG_FIREHOSE_HTTP_LOG_FORMAT

This setting is used when the input is receiving data from Amazon Firehose. It specifies the format of the logs. Each key must be wrapped in a format that looks like ${key} and must be a valid key according to AWS log formats.

• Default
  • ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}