VCN Flow Logs

This topic describes the contents of VCN flow logs and how to set up flow logs for resources in your VCN.

Highlights

  • VCN flow logs shows details about traffic that passes through your VCN.
  • VCN flow logs help you audit traffic and troubleshoot your security lists.
  • Flow logs are enabled and managed using the Logging service. For more information, see Logging Overview.
  • Flow logs can be generated from VNICs, PEs, and RCEs. For PEs and RCEs, they appear as from the VNIC associated with the PE/RCE.

Overview of Flow Logs

Each instance in a VCN has one or more Virtual Network Interface Cards (VNICs). The Networking service uses Security Lists to determine what traffic is allowed through a given VNIC. The VNIC is subject to all rules in all security lists associated with the VNIC's subnet.

To help you troubleshoot your security lists or audit the traffic in and out of your VNICs, you can set up VCN flow logs. Flow logs record details about traffic that has been accepted or rejected based on the security list rules.

How Flow Logs Are Enabled and Delivered

Flow logs are enabled and managed using the Logging service. You can enable flow logs for a given subnet, which means traffic is logged for all the existing and future VNICs in that subnet. Each flow log record contains information about traffic for a single VNIC. Here are the general steps for setting up flow logs:

  1. Enable flow logs for the subnet: VCN flow logs are enabled for a subnet using the Logging service.
  2. View the subnet's flow logs: Assuming there is traffic for the given subnet, it can take up to 10 minutes for the first flow logs to be delivered. Then you receive batches of flow logs every minute.

After flow logs are enabled for a subnet, a batch of flow logs for each VNIC is collected in one-minute capture windows. It takes under eight minutes to process a batch, after which the flow logs are available for viewing.

Flow Log Contents

Each flow log record reflects logged traffic in one direction of a connection between two endpoints. For example, for a single TCP connection, you may have two records in the capture window: one for ingress traffic, and the other for egress traffic.

For more information about flow log contents, examples, and limitations and other considerations, see Details for VCN Flow Logs.

Managing Flow Logs

Flow log management tasks such as disabling logs, deleting logs, and editing logs are performed using the Logging service. For more information on log management, see Managing Logs and Log Groups.

Use VCN Flow Logs to Audit Traffic and Troubleshoot Security Lists

To list details about traffic that passes to and from destinations in your VCN, enable flow logs for a given subnet. After you have them enabled, flow logs record traffic for all existing and future VNICs attached to compute instances in that subnet.

Flow logs are enabled and managed using the Logging service. For more information, see Logging Overview.