# Create an Amazon Transit Gateway Flow Logs record that publishes to Amazon CloudWatch Logs
<a name="flow-logs-cwl-create-flow-log"></a>

You can create flow logs for transit gateways. If you perform these steps as an IAM user, ensure that you have permissions to use the `iam:PassRole` action. For more information, see [Permissions for IAM users to pass a role](flow-logs-cwl.md#flow-logs-iam-user).

You can create an Amazon CloudWatch flow log using either the Amazon VPC Console or the Amazon CLI.

**To create a transit gateway flow log using the console**

1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/).

1. In the navigation pane, choose **Transit gateways**. 

1. Choose the checkboxes for one or more transit gateways and choose **Actions**, **Create flow log**.

1. For **Destination**, choose **Send to CloudWatch Logs**.

1. For **Destination log group**, choose the name of a current destination log group.
**Note**  
If the destination log group does not yet exist, entering a new name in this field will create a new destination log group.

1. For **IAM role**, specify the name of the role that has permissions to publish logs to CloudWatch Logs.

1. For **Log record format**, select the format for the flow log record.
   + To use the default format, choose **Amazon default format**.
   + To use a custom format, choose **Custom format** and then select fields from **Log format**.

1. (Optional) Choose **Add new tag** to apply tags to the flow log.

1. Choose **Create flow log**.

**To create a flow log using the command line**

Use one of the following commands.
+ [create-flow-logs](https://docs.amazonaws.cn/cli/latest/reference/ec2/create-flow-logs.html) (Amazon CLI)
+ [New-EC2FlowLog](https://docs.amazonaws.cn/powershell/latest/reference/items/New-EC2FlowLog.html) (Amazon Tools for Windows PowerShell)

The following Amazon CLI example creates a flow log that captures transit gateway information. The flow logs are delivered to a log group in CloudWatch Logs called `my-flow-logs`, in account 123456789101, using the IAM role `publishFlowLogs`.

```
aws ec2 create-flow-logs --resource-type TransitGateway --resource-ids tgw-1a2b3c4d --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::123456789101:role/publishFlowLogs 
```