# AWS Flow Logs (S3) NetObserv Flow can collect AWS VPC Flow Logs stored in S3. {% hint style="warning" %} NOTICE If *no S3 bucket* *is involved* because Firehose is exporting over HTTP, you will need to use [AWS Flow Logs (Firehose HTTP)](/flowcoll/configuration/inputs/input_aws_firehose.md) settings instead. If, however, flow logs are being exported into an S3 bucket by any means (with or without AWS Firehose involved), then these are the right settings to use. {% endhint %} When NetObserv Flow processes flow logs from the specified S3 bucket, it defaults to looking for a folder called “AWSLogs”. Every time NetObserv processes flow logs, it moves them to another folder called “elastiflow-processed”. This behavior is essential to ensure that the collector can easily identify flow logs which are already processed vs new flow logs that need to be processed still. The schema of the logs remains unchanged; only their location within the S3 bucket is modified. If Firehose is being used to export flow logs into S3, then there are additional settings required. This is because Firehose does not include the field names in the exported data, therefore NetObserv must know to process the exported flow logs slightly differently. ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_ENABLE * Valid Values * `true`, `false` * Default * `false` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_BUCKET The S3 bucket from which to fetch AWS VPC Flow Logs. * Default * `''` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_PREFIX * Default * `AWSLogs` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_POOL\_SIZE Specifies the number of concurrent workers to start. Increasing the number of workers will allow the collector to better handle a processing vpc flow logs in s3. * Default * `number of license units` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_TLS\_ENABLE This setting is used to enable/disable TLS connections to AWS S3. * Valid Values * `true`, `false` * Default * `false` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_TLS\_SKIP\_VERIFICATION This setting is used to enable/disable TLS verification of the AWS S3 endpoint to which the input is attempting to connect. * Valid Values * `true`, `false` * Default * `false` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_TLS\_CA\_CERT\_FILEPATH The path to the Certificate Authority (CA) certificate to use for verification of the AWS S3 endpoint to which the input is attempting to connect. * Default * `''` ## EF\_AWS\_VPC\_FLOW\_LOG\_S3\_TLS\_MIN\_VERSION This setting is used to set the TLS minimum version * Valid Values * `1.2`, `1.3` * Default * `1.2` ## EF\_AWS\_VPC\_FLOW\_LOG\_FIREHOSE\_S3\_ENABLE This setting is used to declare an S3 bucket receives data from Amazon Firehose instead of directly from VPCs. * Valid Values * `true`, `false` * Default * `false` ## EF\_AWS\_VPC\_FLOW\_LOG\_FIREHOSE\_S3\_LOG\_FORMAT This setting is used when the input is receiving data from Amazon Firehose. It specifies the format of the logs. Each key must be wrapped in a format that looks like `${key}` and must be a valid key according to AWS log formats. You do not need to set this unless you are using Firehose to export flow logs to S3, and if you customized the exported fields to be anything other than the default v1 fields. * Default * `${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}` ## AWS\_REGION The AWS SDK compatible environment variable that specifies the AWS Region to send the request to. ## AWS\_ACCESS\_KEY\_ID Specifies an AWS access key associated with an IAM user or role. ## AWS\_SECRET\_ACCESS\_KEY Specifies the secret key associated with the access key. This is essentially the "password" for the access key. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/flowcoll/configuration/inputs/input_aws_s3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.