Documentation forSolarWinds Observability SaaS

Configure AWS VPC Flow Logs

VPC Flow Logs is a capability offered by cloud providers, enabling their customers to monitor and record traffic that enters and exits their Virtual Private Cloud (VPC), subnet, or network interface within the Cloud Provider. SolarWinds Observability SaaS enables you to forward AWS VPC Flow Logs to our observability platform using a simple, automated setup. By leveraging AWS Lambda and a provided CloudFormation template, you can quickly configure log streaming from multiple AWS regions and accounts.

How VPC Flow ingestion works

To monitor network flows from a given VPC in your AWS account, you will need to set up IP traffic logging. We currently support CloudWatch log groups as a target.

To integrate log groups with SolarWinds Observability SaaS, you'll need to deploy a Lambda function to your environment. The Lambda function is triggered when logs are ingested to CloudWatch, which parses the log and forwards it to the SolarWinds Observability SaaS OTel API. We provide a CloudFormation template to ease the onboarding process.

Once forwarding is set up, the following metrics are supported:

  • AWS.VPC.Flows.Bytes

  • AWS.VPC.Flows.Packets

All tags up to version 10 are supported. For details, see Flow log records in Amazon documentation.

VPC Flow ingestion

  1. Make sure your AWS account is connected to SolarWinds Observability SaaS. If you have not connected an AWS account, select Add data > Infrastructure > AWS services. If you already have an AWS account connected, navigate to Edit cloud account.

  2. Within the wizard, ensure that the Polling option is selected under Basic settings.

    Transferring VPC Flow Logs is only available with Polling at this time. Streaming is not currently supported.

  3. Select the region(s) from which to collect VPC Flow Logs by continuing through the wizard.

  4. For each region, configure log forwarding under the Logs tab.

    • All available AWS regions associated with your account will be shown. You can see if the Lambda function or CloudFormation stack is already configured to forward logs for each region. If not currently configured, you can start the setup for specific regions by clicking Configure in AWS. This will launch the CloudFormation template.

      To configure logs integration for multiple regions, you must repeat the process and configure separately for each region. Each region is currently limited to a single CloudFormation template. You can enable monitoring for multiple log groups manually in your AWS account.

    • When prompted, provide the necessary information for CloudFormation stack setup.

      Variable name Description
      ApiToken

      The API ingestion token for your SolarWinds Observability tenant. Copy and paste it from the Logs screen of the AWS Cloud Account wizard or from the API Tokens page in Settings.

      For security reasons, we cannot pass the token via URL parameters.
      OtIpEndpoint OTLP telemetry data ingestion endpoint address. See Data centers and endpoint URIs.
      VpcFlowLogGroupActionType Select whether to create a new log group or use an existing one. Select Do not create/use if you do not want the CloudWatch log group to be created for VPC Flow Logs monitoring.
      VpcFlowLogGroupName

      The name of the AWS CloudWatch log group the VPC Flow Logs will be created from or associated with.

      This depends on the selection for VpcFlowLogGroupActionType. If you are using an existing log group, this should be the name of the log group where a Lambda subscription filter will be created.

      There can be a maximum of two subscription filters for a single log group. If you are choosing an existing log group, make sure it does not have more than one subscription filter assigned.
      CloudTrailLogGroupActionType Select whether to create a new log group or use an existing one for CloudTrail logs. Select Do not create/use if you do not want the CloudWatch log group to be created for CloudTrail logs monitoring.
      CloudTrailLogGroupName

      The name of the AWS CloudWatch log group for CloudTrail logs to be created for or associated with.

      This depends on the selection for CloudTrailLogGroupActionType. If you are using an existing log group, this should be the name of the log group where a Lambda subscription filter will be created.

      There can be a maximum of two subscription filters for a single log group. If you are choosing an existing log group, make sure it does not have more than one subscription filter assigned.
      CloudTrailLogGroupRetentionInDays The number of days for which CloudTrail logs will be retained.

  5. When deployed, the CloudFormation stack provisions resources in the following manner:

    • By creating new groups or using existing ones, as selected.

    • By deploying a Lambda function and configuring it to trigger on new or existing log data.

    • By setting up the Lambda function to securely forward log data to your specified OTel collector endpoint.

  6. If you created a new log group or chose an existing log group that does not have VPC Flow Logs configured, you must manually configure VPC Flow Logs to send data to it by taking the following steps:

    • In the AWS console, navigate to VPC details > Flow Logs > Create a new Flow Log.

    • Set Destination to Send to CloudWatch Logs, then select the required log group for Destination log group.

  7. Select a log record format. AWS supports a default format and a custom format. For more information, see VPC Flow Log record format.

  8. After setup is complete, your VPC Flow Logs from the selected AWS regions will stream to our platform. You can access and analyze your logs in the Flow tab of your AWS account view.

VPC Flow Log record format

AWS VPC Flow Logs support a default format and a custom format. The selected format determines which fields are included in each log record and cannot be changed after the flow log is created.

Default format

The default format is the AWS standard VPC Flow Log configuration. It includes 14 mandatory version 2 (V2) fields required for network traffic analysis. This format is automatically recognized and processed with optimized performance.

Default format fields 

${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}
Field Description Example
version VPC Flow Log version 2
account-id AWS account ID 123456789012
interface-id Network interface ID eni-1235b8ca123456789
srcaddr Source IP address 172.31.16.139
dstaddr Destination IP address 172.31.16.21
srcport Source port 20641
dstport Destination port 22
protocol IANA protocol number 6 (TCP)
packets Number of packets 20
bytes Number of bytes 4249
start Start time (Unix seconds) 1418530010
end End time (Unix seconds) 1418530070
action Traffic action ACCEPT or REJECT
log-status Logging status OK, NODATA, or SKIPDATA

Creating flow logs using the default format

See Create a flow log that publishes to CloudWatch Logs.

When creating the VPC Flow Log in the AWS console:

  • Set Log record format to AWS default format.

  • Do not enable Include Amazon ECS metadata.

  • Complete the remaining flow log configuration as described in the setup instructions.

Performance considerations

The Lambda function uses an optimized parser for default format logs.

For high-volume environments, the default format provides lower latency and reduced processing costs.

Custom format

Custom format allows you to select additional fields beyond the default format.

Custom format requirements

All custom formats must meet the following requirements:

  • All 14 mandatory V2 fields listed in the default format must be included.

  • Mandatory fields can appear in any order, but all must be present.

  • If any mandatory field is missing, the Lambda function rejects the log record.

  • When multiple VPC Flow Logs write to the same CloudWatch log group, all of them must use the same format.

Additional available fields

Beyond the mandatory V2 fields, you can include optional fields up to version 10. Refer to Flow log records - Amazon Virtual Private Cloud in AWS documentation for a complete list of supported fields.

Example custom formats

  • Default format with VPC and subnet information:

    ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id}

    Use case: Track which VPC and subnet traffic is flowing through.

  • Default format with regional information:

    ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${region} ${az-id}

    Use case: Monitor traffic distribution across regions and availability zones.

  • Default format with ECS metadata:

    ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${ecs-cluster-name} ${ecs-service-name} ${ecs-task-id}

    Use case: Track network traffic for ECS services and tasks.

  • Comprehensive format:

    ${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status} ${vpc-id} ${subnet-id} ${instance-id} ${region} ${az-id} ${flow-direction}

    Use case: Maximum observability for production environments.

Creating flow logs using a custom format

See Create a flow log that publishes to CloudWatch Logs.

When creating the VPC Flow Log in the AWS console:

  • Set Log record format to Custom format.

  • Select all mandatory V2 fields.

  • Add optional fields as required.

  • Complete the remaining flow log configuration as described in the setup instructions.

Changing the flow log format

Flow log formats cannot be modified after creation.

To change the format:

  1. Delete the existing flow log

  2. Create a new flow log with the required format

Deleting a flow log does not delete previously captured data in CloudWatch Logs.

Best practices

Format selection

  • For better performance, use the default format when you don't require additional fields.

  • Use a custom format only when specific additional fields are needed.

  • Always include all 14 mandatory V2 fields in custom formats.

Field selection

  • Include only fields that are required for analysis.

  • More fields increase log size and CloudWatch Logs costs.

Performance and cost considerations

  • Default format is processed faster by the Lambda function.

  • Custom formats increase memory usage and processing time.

  • Higher field counts increase CloudWatch Logs storage costs.

  • Use log retention policies to control long-term storage costs.

Verify your configuration

After creating a flow log:

  1. Wait 5-10 minutes for logs to appear

  2. In CloudWatch, navigate to Log groups and locate the configured log group.

  3. Open a log stream and verify that log entries match the expected format.

  4. Confirm all mandatory fields are present.

Reconfiguring the VPC Flow Logs integration

There are two options to reconfigure an existing Lambda function for VPC Flow Logs integration:

  1. Manual reconfiguration

    • Navigate to the Lambda function. This can be done in the AWS console directly or via the platform through AWS account view > Edit account > Flow tab > Region > Update in AWS.

    • In the Lambda function, navigate to Configuration > Triggers. Here you can add log groups with VPC Flow Logs, specify a CloudTrail log group, or remove an existing log group from the triggers if no longer needed.

  2. Automatic reconfiguration using CloudFormation

    • Within the AWS console, navigate to CloudFormation Stacks, and select the stack responsible for your configuration. Select Update stack > Change set > Use existing template or start a direct upgrade.

    • You will be redirected to a form populated with the previously-used parameters. Make the necessary changes, then review and verify all changes. After submitting, wait for the change set to be available for preview, then select Execute change set.

      Changes may take a few minutes to propagate.
      Always review the AWS limits on Lambda triggers and log group subscription filters before making changes.

Removing or deleting the integration

The following steps will allow you to remove all resources created by the CloudFormation template:

  1. In the AWS console, navigate to the CloudFormation service. Select the stack that was used for your VPC Flow Logs integration.

  2. Select Delete, then confirm the deletion when prompted.

Flows tab

Flow logs data is available in Infrastructure > AWS > AWS account info > Flows.

Sankey chart

The Sankey chart provides a visual representation of the network traffic flows. It displays the top ten entries based on a combination of the following:

  • Source address

  • Protocol

  • Action

  • Destination port

All other entries are grouped under the Other category for clarity. Hover over any flow in the chart to view details of that traffic path.

Top 10 widgets

Users can view the top ten accepted or rejected traffic by interface as well as the top five ingress and egress traffic by subnet.

Flow logs table

Users can see all VPC Flow Logs records and filter them using smart search.

Performance

Since VPC Flow Logs can generate a large volume of data, especially in high-traffic environments, the AWS Lambda function may encounter the following resource limitations:

  • Memory constraints (maximum of 10 GB).

  • Maximum execution duration of 15 minutes.

  • Limits on concurrent executions.

  • Network issues reaching out to the SolarWinds Observability SaaS OTel endpoint.

These constraints can lead to function failures, throttling, or incomplete log processing. While these cannot be monitored in SolarWinds Observability SaaS, you can use CloudWatch logs to monitor failures.

Mitigation strategies

The following strategies should be implemented on the customer's AWS side and may require additional costs:

  • Continuously monitor resource utilization using AWS CloudWatch metrics.

  • Increase the allocated memory to enhance CPU performance, as CPU power scales with memory in Lambda.

  • Utilize AWS Step Functions or Amazon SQS to partition large workloads into smaller, more manageable tasks, enabling scalable and resilient processing.

  • Use AWS Lambda reserved concurrency to limit the number of simultaneous executions.

  • Consider filtering logs at the CloudWatch subscription level to reduce the volume of logs sent to the Lambda function.

Troubleshooting

Missing mandatory fields

Error: Custom format must include all V2 default fields. Missing required field: 'X'

Resolution: Update the custom format to include the missing field.

No logs appearing

Possible causes:

  • IAM role lacks required permissions

  • No traffic on the monitored resource

  • Aggregation interval has not elapsed

  • Log group configuration is incorrect

Resolution: Verify IAM permissions, confirm traffic exists, and check the log group configuration.

Performance issues

Symptoms:

  • Increased Lambda execution time

  • Higher processing costs

Resolution:

  • Switch to the default format if custom fields are not required

  • Remove unnecessary fields from the custom format