Configure data collection using VPC Flow Logs

Enable Service Mapping to perform discovery based on data collected using Virtual Private Cloud (VPC) logs. This method is relevant for organizations using Amazon Web Services (AWS).

Before you begin

Role required: admin or sm_admin

About this task

In base systems, traffic-based discovery uses only TCP-related data collected with the help of the netstat and lsof commands. Discovery based on Netflow and VPC logs requires additional configuration. You can enrich your traffic-based discovery by configuring Service Mapping to use VPC Flow Logs. For more information about the Service Mapping discovery flow based on VPC Flow logs, see Data collection and discovery using VPC Flow Logs.

Amazon VPC hosts Amazon Elastic Compute Cloud (EC2) instances that provide Amazon Web Services. VPC flow logs collect data on IP traffic going to and from network interfaces in the VPC.

Procedure

  1. Configure VPC Flow Logs on the Amazon EC2 console as described in http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html.
  2. On the server hosting the MID Server, install and set up the AWS Command Line Interface. For details, see Installing the AWS Command Line Interface and Configuring the AWS Command Line Interface.
  3. Verify that you have configured VPC Flow Logs correctly:
    1. Open the command line window.
    2. Enter this command:
      aws logs describe-log-streams --log-group=<replace with the group name>
    3. Check the log group and the log stream appear correctly in the output:

      Verify the log group and log stream.
  4. Configure Service Mapping to work with VPC Flow Logs:
    1. Navigate to Service Mapping > Administration > Flow Connectors.
    2. Click New.
    3. Click AWS VPC flow logs.
    4. On the AWS VPC flow logs page, configure the connector parameters as follows:
      Field Description
      Name A descriptive name for the connector.
      Group name The name of the central flow log group to which Amazon EC2 instances forward their log streams.
      MID Server The MID Server on which you installed the AWS Command Line Interface.
    5. Click Submit.
  5. Verify that Service Mapping collects data using VPC Flow Logs:
    1. On the AWS VPC flow logs form, select the newly configured connector and click Run now to start the data collection flow and populate the Flow Connection [sa_flow_connection] table.
    2. Navigate to System Definitions > Tables.
    3. Click the Flow Connection [sa_flow_connection] table.
    4. Under Related Links, click Show List.
    5. Verify that the table contains data.