eG Monitoring
 

Measures reported by AWSFlwLogSourceTest

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your (Virtual Private Cloud).

Using flow logs, you can easily troubleshoot why specific traffic is not reaching an instance, which in turn can help diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance, to profile your network traffic, and to look for abnormal traffic behaviors. A common use of these flow log records is to watch for abnormal and unexpected denied outbound connection requests, which could be an indication of a misconfigured or compromised EC2 instance.

To provide administrators with quick and useful insights into network traffic on VPCs, and to enable them to promptly identify and take action against abnormal traffic, the eG agent periodically reads flow logs and reports network traffic metrics. For this, the eG agent runs the following Flow Log tests:

  • AWS VPC Flow Logs - Protocol Test

  • AWSFlwLogSourceTest

  • AWS VPC Flow Logs - Destination Test

The AWSFlwLogSourceTest test for instance, automatically discovers the network interfaces handling traffic on the VPCs, and reports the following for each discovered interface:

  • The sources that sent traffic to the interface;

  • The traffic that was generated by each source;

In the event of a network congestion on an interface, these source-wise statistics can help administrators accurately pinpoint which destination is probably contributing to the congestion.

If the detailed diagnostic capability of the test is enabled, then the eG agent will additionally provide deep-dive insights into the traffic by listing the top-10 flows for a source in terms of the data transferred. If the traffic from a source is abnormally high, then the detailed diagnostics will reveal:

  • Has the source been transmitting a large amount of data consistently or is it just a momentary spike in traffic?

  • Are transmissions to any particular destination significantly higher than the rest? If so, which one?

  • How often have network policies/security groups rejected the data sent by the source?

For the AWSFlwLogSourceTest test to run, the following pre-requisites should be fulfilled:

  • You should first create flow logs. To create a flow log, you specify the resource for which you want to create the flow log (VPC, subnet, or network interface), the type of traffic to capture (accepted traffic, rejected traffic, or all traffic), the name of a log group in CloudWatch Logs to which the flow log will be published, and the ARN of an IAM role that has sufficient permission to publish the flow log to the CloudWatch Logs log group.

  • After the flow logs are created, the flow data will be collected and published to the CloudWatch logs log group that was specified during flow log creation. To enable the eG agent to read these logs, you need to make sure that the flow logs are exported to Amazon S3.

Outputs of the test : One set of results for each destination receiving traffic from every interface of a region.

First-level descriptor: AWS Region

Second-level descriptor: Interface name

Third-level descriptor: Source IP address

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Packet_trans Indicates the number of packets transferred by this source. KB Compare the value of this measure across sources to know which source is generating the maximum traffic.

You can then use the detailed diagnosis of this measure to view the complete details of the top-10 flows for that source, in terms of the amount of data transferred. The details include the Source IP Address, Source Port, Destination IP Address, Destination Port, Packets Transferred, Data transferred, and Log status of each flow. From the Log status, you can quickly figure out whether the traffic handled by the flow was accepted by security groups/network policies or rejected. If many flows from a source are rejected, you may have to investigate the reasons for the same, so that you do what is necessary to minimize or completely eliminate rejections.

Data_trans Indicates the amount of data transferred by this source. KB Compare the value of this measure across sources to know which source is generating the maximum traffic.
Traffic_Data Indicates what percentage of the total data to this interface was sent by this source. Percent A value close to 100% for a source indicates that almost all of the data handled by the interface was sent by that source. By comparing the value of this measure across sources, you can identify which source is hogging the bandwidth resources.