Use CreateFlowLogs
with a CLI
The following code examples show how to use CreateFlowLogs
.
- CLI
-
- Amazon CLI
-
Example 1: To create a flow log
The following
create-flow-logs
example creates a flow log that captures all rejected traffic for the specified network interface. The flow logs are delivered to a log group in CloudWatch Logs using the permissions in the specified IAM role.aws ec2 create-flow-logs \ --resource-type
NetworkInterface
\ --resource-idseni-11223344556677889
\ --traffic-typeREJECT
\ --log-group-namemy-flow-logs
\ --deliver-logs-permission-arnarn:aws:iam::123456789101:role/publishFlowLogs
Output:
{ "ClientToken": "so0eNA2uSHUNlHI0S2cJ305GuIX1CezaRdGtexample", "FlowLogIds": [ "fl-12345678901234567" ], "Unsuccessful": [] }
For more information, see VPC Flow Logs
in the Amazon VPC User Guide. Example 2: To create a flow log with a custom format
The following
create-flow-logs
example creates a flow log that captures all traffic for the specified VPC and delivers the flow logs to an Amazon S3 bucket. The--log-format
parameter specifies a custom format for the flow log records. To run this command on Windows, change the single quotes (') to double quotes (").aws ec2 create-flow-logs \ --resource-type
VPC
\ --resource-idsvpc-00112233344556677
\ --traffic-typeALL
\ --log-destination-types3
\ --log-destinationarn:aws:s3:::flow-log-bucket/my-custom-flow-logs/
\ --log-format '${version} ${vpc-id} ${subnet-id} ${instance-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${tcp-flags} ${type} ${pkt-srcaddr} ${pkt-dstaddr}
'For more information, see VPC Flow Logs
in the Amazon VPC User Guide. Example 3: To create a flow log with a one-minute maximum aggregation interval
The following
create-flow-logs
example creates a flow log that captures all traffic for the specified VPC and delivers the flow logs to an Amazon S3 bucket. The--max-aggregation-interval
parameter specifies a maximum aggregation interval of 60 seconds (1 minute).aws ec2 create-flow-logs \ --resource-type
VPC
\ --resource-idsvpc-00112233344556677
\ --traffic-typeALL
\ --log-destination-types3
\ --log-destinationarn:aws:s3:::flow-log-bucket/my-custom-flow-logs/
\ --max-aggregation-interval60
For more information, see VPC Flow Logs
in the Amazon VPC User Guide. -
For API details, see CreateFlowLogs
in Amazon CLI Command Reference.
-
- PowerShell
-
- Tools for PowerShell
-
Example 1: This example creates EC2 flowlog for the subnet subnet-1d234567 to the cloud-watch-log named 'subnet1-log' for all 'REJECT' traffic using the perimssions of the 'Admin' role
New-EC2FlowLog -ResourceId "subnet-1d234567" -LogDestinationType cloud-watch-logs -LogGroupName subnet1-log -TrafficType "REJECT" -ResourceType Subnet -DeliverLogsPermissionArn "arn:aws:iam::98765432109:role/Admin"
Output:
ClientToken FlowLogIds Unsuccessful ----------- ---------- ------------ m1VN2cxP3iB4qo//VUKl5EU6cF7gQLOxcqNefvjeTGw= {fl-012fc34eed5678c9d} {}
-
For API details, see CreateFlowLogs
in Amazon Tools for PowerShell Cmdlet Reference.
-
For a complete list of Amazon SDK developer guides and code examples, see Create Amazon EC2 resources using an Amazon SDK. This topic also includes information about getting started and details about previous SDK versions.