AlienVault® USM Anywhere™

Amazon VPC Flow Logs

When you configure Amazon VPC Flow Logs to send log data to USM Anywhere, you can use the VPC Flow Logs plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Amazon
Device Type Cloud Infrastructure
Connection Type Amazon CloudWatch

Integrating Amazon VPC Flow Logs

VPC Flow Logs is a feature that lets you capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs, so you must first enable CloudWatch in your AWS environment and set up a new CloudWatch Collection job in AWS to transport log files from your VPC environment to a place where USM Anywhere can access them.

Note: For detailed information about setting up a new CloudWatch Collection job, see Collecting Amazon CloudWatch Logs.

To create a flow log, you specify the flow log resource, the type of traffic to capture (accepted traffic, rejected traffic, or all traffic), and the name of a log group in CloudWatch Logs where the flow log will be published. Flow logs do not capture all types of IP traffic. The following types of traffic are not logged:

  • Traffic generated by a Windows instance for Amazon Windows license activation
  • Traffic to and from for instance metadata
  • DHCP traffic
  • Traffic to the reserved IP address for the default VPC router (see VPC and Subnet Sizing)

After you've created a flow log, you can work with flow log records the same as any other log events collected by CloudWatch Logs.

Plugin Enablement

When you set up a new CloudWatch log collection job, you select an associated plugin for the collection job; in this case, the VPC Flow Logs plugin. This enables the plugin when USM Anywhere runs the CloudWatch log collection job.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome
  • bytes_in
  • destination_address
  • destination_port
  • event_name
  • plugin_device
  • plugin_device_type
  • rep_device_inbound_interface
  • source_address
  • source_port
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.