Enabling Flow Logs

Enable VCN Flow Logs for subnets, instances, load balancers, or network load balancers.

    1. Open the navigation menu, click Networking, and then click Flow logs, found in the Network Command Center group.
    2. Click Enable flow logs.
    3. In the Basic Information panel, enter a name to uniquely identify the flow log. You can edit the name later.
    4. From the Flow log destination list, select a log group or create a new one:
      1. Select Create new log group.
      2. Enter a name to uniquely identify the log group. You can edit the name later.
      3. From the Compartment list, select a compartment.
      4. Optionally, enter a Description to help you identify the log group later.
    5. From the Capture filter list, select a capture filter or create a new one:
      1. Select Create new capture filter.
      2. Enter a name to uniquely identify the capture filter. You can edit the name later.
      3. From the Compartment list, select a compartment.
      4. From the Sampling rate list, select the percentage of network flows to capture. Log information is only captured for the specified percentage portion of all traffic on the enablement points.
      5. Create at least one rule.
        Capture filter rules are examined in order and run when matched. When the first match is found, remaining rules aren't examined or run. If you reorder the rules the capture filter behavior changes. A maximum of ten rules are allowed in a capture filter. See Capture filters and rules for examples of rule behavior.

        Each rule can state whether to include or exclude packets based on the traffic direction (ingress or egress), source or destination IPv4 CIDR or IPv6 prefix of the traffic, or the IP protocol used for the packet (TCP, UDP, ICMP, ICMPv6). Each protocol type offers further options appropriate for that protocol.

      6. Under Show Advanced Options, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
      7. Click Create capture filter.
    6. Click Next.
    7. Click Add enablement points.
    8. In the Add enablement point panel, select an enablement point type.
      • Virtual cloud network captures flow logs for all VNICs in all subnets in a VCN.
      • Subnet captures flow logs for all VNICs in a subnet.
      • Resources lets you capture flow logs for specific instances, network load balancers, or one or more VNICs.
    9. Click Continue.
      1. To enable flow logs for a virtual cloud network, select a VCN from the list.
      2. To enable flow logs for a subnet, select a VCN from the list and then a subnet.
      3. To enable flow logs for a resource, select a resource type from the list. You can choose Instance VNIC, Network load balancer, or VNIC OCID.
      4. If you choose Instance VNIC or Network load balancer:
        • Select a VCN from the list and then a subnet.
        • Select from the list of available resources in the subnet.
        Note

        If you don't see the resource you want to enable, be sure you selected the compartment, VCN, and subnet that contains the resource. You can also enable flow logs with one category at a time.
      5. If you choose VNIC OCID, enter an OCID  for each VNIC you want to capture flow logs for.
      6. Click Add enablement points.
      7. Click Next.
      8. Review the flow log information, and then click Enable flow logs.
  • Before you can create a flow log, you must first create a log group and a capture filter.

    Use the oci logging log create command and required parameters to create a flow log in a log group:

    oci logging log create --display-name display_name --log-group-id log_group_OCID --log-type SERVICE
    --is-enabled true --profile profile_name --configuration file://create_log.json  [OPTIONS]
    In this example, the flow log configuration information is contained in the specified file create_log.json. For example:
    {
        "compartment-id": "compartment_OCID",
        "source": {
            "resource": "resource_OCID",
            "service": "flowlogs",
            "source-type": "OCISERVICE",
            "category": "subnet",
            "parameters": {
                "capture_filter":"capture_filter_OCID"  
                }
        }
    }

    For a complete list of parameters and variable options for CLI commands, see the CLI Command Reference.

  • Before you can create a flow log, you must first create a log group and a capture filter.

    Run the CreateLog operation to create a flow log in a log group. For example:
    POST /api_version/logGroups/log_group_OCID/logs
    <authorization and other headers>
    {"displayName":"display_name",
       "logType":"SERVICE",
       "isEnabled":true,
       "configuration":   
        {"source":     
    	   {"sourceType":"OCISERVICE",
    	     "service":"flowlogs",
    		 "resource":"resource_OCID",
    		 "category":"subnet",
    		 "parameters":
    		   {"capture_filter":"capture_filter_OCID",
    		     "enablementPointType":"Subnet"}
    		}
    	}
    }