Skip to content

Instantly share code, notes, and snippets.

@brandond

brandond/vpc-flowlog

Last active September 18, 2023 03:41
Show Gist options
  • Save brandond/cc57062e4eb8628ec20c53f836882a67 to your computer and use it in GitHub Desktop.
Save brandond/cc57062e4eb8628ec20c53f836882a67 to your computer and use it in GitHub Desktop.
Download ZIP
logstash-grok-pattern-vpc-flow-log
Raw
vpc-flowlog
# VPC Flow Log fields
# version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
# http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-log-records
VPCFLOWLOG %{NUMBER:version:int} %{NUMBER:account-id} %{NOTSPACE:interface-id} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NOTSPACE:srcport:int} %{NOTSPACE:dstport:int} %{NOTSPACE:protocol:int} %{NOTSPACE:packets:int} %{NOTSPACE:bytes:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:log-status}
@jonbrouse
Copy link

@jrask
Copy link

jrask commented Nov 30, 2016

Great!!

@adyrcz
Copy link

adyrcz commented Apr 19, 2018
edited
Loading

@aleem-99
Copy link

aleem-99 commented Jul 7, 2018

Thank you very much

@Popsiclestick
Copy link

You've made me hate life a little less today. Thank you.

@stevebanik-ndsc
Copy link

This works when all fields are populated, but when values are missing, the grok patterns do not match data in the input.

For example, given this line:

2 843709267542 eni-a1a3e46e - - - - - - - 1544040246 1544040811 - NODATA

the pattern matching fails. Is there a way account for dashes?

@kabali12345
Copy link

kabali12345 commented Jan 12, 2020
edited
Loading

Hi
You can use following pattern for matching both patterns

(?<version>\S+)\s(?<account-id>\S+)\s(?<interface-id>\S+)\s(?<srcaddr>\S+)\s(?<dstaddr>\S+)\s(?<srcport>\S+)\s(?<dstport>\S+)\s(?<protocol>\S+)\s(?<packets>\S+)\s(?<bytes>\S+)\s(?<start>\S+)\s(?<end>\S+)\s(?<action>\S+)\s(?<log-status>\S+)

@dpricha89
Copy link

Thank you!

@alicansaykal
Copy link

Gr8 job m8

@infa-ddeore
Copy link

infa-ddeore commented Jul 24, 2023
edited
Loading

for the latest vpc flow logs format, i am using below pattern

%{NUMBER:version:int} %{NOTSPACE:vpc-id} %{NOTSPACE:region} %{NOTSPACE:subnet-id} %{NOTSPACE:instance-id} %{NOTSPACE:interface-id} %{NUMBER:account-id} %{NOTSPACE:type} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NOTSPACE:srcport:int} %{NOTSPACE:dstport:int} %{NOTSPACE:pkt-srcaddr} %{NOTSPACE:pkt-dstaddr} %{NOTSPACE:protocol:int} %{NOTSPACE:bytes:int} %{NOTSPACE:packets:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:tcp-flags} %{NOTSPACE:log-status}

@0x7A74626C77
Copy link

0x7A74626C77 commented Sep 5, 2023
edited
Loading

an update to this for version 5:

%{NUMBER:version:int} %{NUMBER:account-id} %{NOTSPACE:interface-id} %{NOTSPACE:srcaddr} %{NOTSPACE:dstaddr} %{NOTSPACE:srcport:int} %{NOTSPACE:dstport:int} %{NOTSPACE:protocol:int} %{NOTSPACE:packets:int} %{NOTSPACE:bytes:int} %{NUMBER:start:int} %{NUMBER:end:int} %{NOTSPACE:action} %{NOTSPACE:log-status} %{NOTSPACE:vpc-id} %{NOTSPACE:subnet-id} %{NOTSPACE:instance-id} %{NOTSPACE:tcp-flags} %{NOTSPACE:type} %{NOTSPACE:pkt-srcaddr} %{NOTSPACE:pkt-dstaddr} %{NOTSPACE:region} %{NOTSPACE:az-id} %{NOTSPACE:sublocation-type} %{NOTSPACE:sublocation-id} %{NOTSPACE:flow-direction} %{GREEDYDATA:other}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment