All Apps and Add-ons

Combine AWS VPC flow logs

New Member

Hi All,

I couldn't find the way to better analyze AWS VPC flow logs due to the directional logging of AWS VPC, for example below I have 4 flow logs that are ingested in Splunk. Flow 1 and 4 need to be combined, because flow 1 is the outgoing connection from srcip 10.x.y.208 to destip on the Internet, with srcport being 33112, and destport 443. Flow 4 is just the reply from the destination, and is record with reversed srcip and destip.

accountid ENI# srcip destip srcport destport protocol packets bytes starttime end_time action status

4 1234567890 eni-29ad3ad4 10.x.y.208 443 33112 6 7 3664 1519266668 1519266702 ACCEPT OK
3 1234567890 eni-29ad3ad4 10.x.y.208 443 51734 6 10 3851 1519266668 1519266702 ACCEPT OK
2 1234567890 eni-29ad3ad4 10.x.y.208 59818 443 6 2 135 1519266668 1519266702 ACCEPT OK
1 1234567890 eni-29ad3ad4 10.x.y.208 33112 443 6 7 1290 1519266668 1519266702 ACCEPT OK

The question is how I can combine the two flows to show the total bytes which should be 1290+3664, as well as other information, in this case, this is a outbound connection from 10.x.y.208? Also is it possible to calculate the duration of the entire flow using the starttime of flow 1 and endtime of flow 4?

I hope the question is made clear, but please let me know if I need to elaborate on this.

Thanks in advance!

Tags (2)
0 Karma