Tutorial: Sending VPC Flow Logs to Splunk Using Amazon Kinesis Data Firehose

In this tutorial, you learn how to capture information about the IP traffic going to and from network interfaces in an Amazon Virtual Private Cloud (Amazon VPC). You then use Amazon Kinesis Data Firehose to send that information to Splunk. For more information about VPC network traffic, see VPC Flow Logs in the Amazon VPC User Guide.

First you send the Amazon VPC flow logs to Amazon CloudWatch. Then from CloudWatch, the data goes to a Kinesis Data Firehose delivery stream. Kinesis Data Firehose then invokes an Amazon Lambda function to decompress the data, and sends the decompressed log data to Splunk.

Prerequisites

Before you begin, ensure that you have the following prerequisites:

Amazon account — If you don't have an Amazon account, create one at http://aws.amazon.com. For more information, see Setting Up for Amazon Kinesis Data Firehose.
Amazon CLI — Parts of this tutorial require that you use the Amazon Command Line Interface (Amazon CLI). To install the Amazon CLI, see Installing the Amazon Command Line Interface in the Amazon Command Line Interface User Guide.
HEC token — In your Splunk deployment, set up an HTTP Event Collector (HEC) token with the source type aws:cloudwatchlogs:vpcflow. For more information, see Installation and configuration overview for the Splunk Add-on for Amazon Kinesis Firehose in the Splunk documentation.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Tagging Your Delivery Streams

Step 1: Send Log Data to CloudWatch