IBM Cloud Docs
Creating a flow log collector

Creating a flow log collector

You can order and provision a flow log collector for a specific Virtual Private Cloud (VPC), subnet, instance, or interface. Before you begin, make sure that you review the use cases that are listed in About flow logs and satisfy the following prerequisites.

When you are provisioning a flow log collector, keep in mind that the finest granularity wins.

Prerequisites in the UI

Before you create a flow log collector, make sure that you meet the following prerequisites:

  1. Make sure that at least one VPC, a subnet, and a virtual server instance exist. For instructions, see Creating a VPC and subnet and Creating a virtual server instance.

  2. Make sure that an IBM Cloud® Object Storage instance with a bucket exists for your flow logs. To create an Object Storage bucket, see the IBM Cloud Object Storage ordering page.

    The Object Storage bucket must be a single-region bucket in the same region as the target resource. Additionally, it is recommended that you secure the bucket through IAM access groups and audit logging.

  3. Authorize resources of type Flow Logs for VPC to use the Object Storage instance created in Step 2.

    To do so, use the following steps:

    • In the IBM Cloud console, click Manage > Access (IAM), then select Authorizations from the navigation pane.

    • Click Create and complete the following information:

      For Source service:

      • Select VPC Infrastructure Services.
      • Select Resources based on selected attributes.
      • For Resource type, select Flow Logs for VPC.
      • For Source service instance, select All instances.

      For Target service:

      • Select Cloud Object Storage.
      • Select Resources based on selected attributes.
      • For Service instance, select string equals > All instances.

      For finer granularity, you can specify whether you want the target to include Specific resources. If you chose specific resources as the target, you can add attributes to further scope the access. The type of attributes depends on the target service that you selected. For example, you can assign access to a specific bucket rather than a single instance.

      For Service access, select the Writer role to assign access to the source service that accesses the target service.

    • Click Authorize.

    For more information, see Using authorizations to grant access between services.

Prerequisites from the CLI

Before you create a flow log collector, make sure that you meet the following prerequisites:

  1. Make sure that at least one VPC, a subnet, and a virtual server instance exist. For instructions, see Creating a VPC and subnet and Creating a virtual server instance.

  2. Make sure that an IBM Cloud® Object Storage instance with a bucket exists for your flow logs. To create an Object Storage bucket, see the IBM Cloud Object Storage ordering page.

    The Object Storage bucket must be a single-region bucket in the same region as the target resource. Additionally, it is recommended that you secure the bucket through IAM access groups and audit logging.

  3. Authorize resources of type Flow Logs for VPC to use the Object Storage instance created in Step 2.

    To do so, enter the following command:

    ibmcloud iam authorization-policy-create is cloud-object-storage Writer --source-resource-type flow-log-collector --target-service-instance-id $COS_INSTANCE_GUID
    
    ibmcloud iam authorization-policy-create is cloud-object-storage Reader --source-resource-type image --target-service-instance-id $COS_INSTANCE_GUID
    

    You can obtain the COS_INSTANCE_GUID from the Service credentials section for the Object Storage instance as shown.

    Object Storage Service credentials
    Object Storage Service credentials

    For more information, see Using authorizations to grant access between services.

Prerequisites with the API

Before you create a flow log collector, make sure that you meet the following prerequisites:

  1. Make sure that at least one VPC, a subnet, and a virtual server instance exist. For instructions, see Creating a VPC and subnet and Creating a virtual server instance.

  2. Make sure that an IBM Cloud® Object Storage instance with a bucket exists for your flow logs. To create an Object Storage bucket, see the IBM Cloud Object Storage ordering page.

    The Object Storage bucket must be a single-region bucket in the same region as the target resource. Additionally, it is recommended that you secure the bucket through IAM access groups and audit logging.

  3. Authorize resources of type Flow Logs for VPC to use the Object Storage instance created in Step 2.

    To do so, use the following steps:

    • In the IBM Cloud console, click Manage > Access (IAM), then select Authorizations from the navigation pane.

    • Click Create and complete the following information:

      For Source service:

      • Select VPC Infrastructure Services.
      • Select Resources based on selected attributes.
      • For Resource type, select Flow Logs for VPC.
      • For Source service instance, select All instances.

      For Target service:

      • Select Cloud Object Storage.
      • Select Resources based on selected attributes.
      • For Service instance, select string equals > All instances.

      For Service access, select the Writer role to assign access to the source service that accesses the target service.

    • Click Authorize.

    For more information, see Using authorizations to grant access between services.

Creating a flow log collector in the UI

To create a flow log collector by using the IBM Cloud console, follow these steps:

  1. Go to the IBM Cloud console and log in to your account.

  2. Select the Navigation Menu menu icon, then click Infrastructure > Network > Flow Logs. The Flow logs for VPC dashboard appears.

    Flow log collector dashboard
    Flow log collector dashboard

  3. Click Create flow log collector to go to the flow logs provisioning page.

  4. Enter values for the following fields:

    • Name - Type a unique name for your flow log collector.
    • Resource group - Select a resource group for your flow log collector. You can use the default group for this flow log, or choose from the list (if defined). For more information, see Best practices for organizing resources in a resource group.
    • Tags - Optionally, add tags to organize, track usage costs, or manage access to your resources.
    • Access management tags - Optionally, add access management tags to resources to help organize access control relationships. The only supported format for access management tags is key:value. For more information, see Controlling access to resources by using tags.
  5. From the Attach the flow log connector to menu, choose a target type for the flow log. Depending on your selection, additional fields might be required.

    • Virtual private cloud - Select a VPC. All network traffic within the selected VPC is logged.
    • Subnet - Select a VPC and a subnet within the selected VPC. All traffic within the selected subnet is logged.
    • Instance - Select a VPC and a virtual server instance that exists within the selected VPC. All traffic for the virtual server instance is logged.
    • Interface - Select a VPC, a virtual server instance within the selected VPC, and a specific network interface for the selected virtual server instance. All traffic for the selected network interface is logged.
  6. Specify where the logs are written. Flow logs are written to an Object Storage bucket, which must be created as a single-region bucket in the same region as the target resource.

    • Cloud Object Storage instances - The Object Storage instance that the wanted bucket resides in.
    • Location - This input is unavailable because it is directly tied to the region the target resource resides in.
    • Bucket - The wanted IBM Cloud® Object Storage bucket that the flow log collector service writes to.

Creating a flow log collector from the CLI

Before you begin, set up your CLI environment.

To create a flow log collector by using the CLI, run the following command:

  ibmcloud is flow-log-create \
    --bucket STORAGE_BUCKET_NAME \
    --target TARGET_ID [--name NAME] \
    --active ACTIVE \
    [--resource-group-id RESOURCE_GROUP_ID | --resource-group-name RESOURCE_GROUP_NAME] \
    [--json]

Where:

  • --bucket is the name of the Object Storage bucket.
  • --target is the target for the flow log.
  • --name is the new name for the flow log.
  • --active indicates whether this collector is active.
  • --resource-group-id is the ID of the resource group. This option is mutually exclusive with --resource-group-name.
  • --resource-group-name is the name of the resource group. This option is mutually exclusive with --resource-group-id.
  • --json formats the output in JSON.

Creating a flow log collector with the API

To create a flow log collector by using the API, follow these steps:

  1. Set up your API environment with the right variables.

  2. Store the following values in variables to be used in the API command:

    • ResourceGroupId - First, get your resource group and then populate the variable:
    export ResourceGroupId=<your_resourcegroup_id>
    
    • VpcId - Find by using the list vpc command (with the preceding variables) and then populate the variable based on the provided ID:
    export VpcId=<your_VPC_id>
    
    • COSbucket - The name of the Object Storage bucket.
    export COSbucket=<your_COS_bucket_name>
    
  3. When all variables are initiated, provision a flow log collector for the specific VPC:

    curl -X POST
      -sH "Authorization:${iam_token}"
      "$vpc_api_endpoint/v1/flow_log_collectors?version=$api_version&generation=2" \
      -d  '{ \
           "name": "flow-logs-1", \
           "resource_group": { "id": "'$ResourceGroupId'"  }, \
           "storage_bucket": { "name": "'$COSbucket'" }, \
           "target": { "id": "'$VpcId'" } \
           }' | jq
    
  4. To provision a collector that targets a subnet, virtual server instance, or VNIC, you must provide a subnet ID, virtual server instance ID, or VNIC ID as a collector target. For example, the following request creates a collector that targets a virtual server instance ID:

    export VsiId=<your_vsi_id>
    
    curl -X POST \
      -sH "Authorization:${iam_token}" \
      "$vpc_api_endpoint/v1/flow_log_collectors?version=$api_version&generation=2" \
      -d '{ \
       	 "name": "flow-logs-1", \
          "resource_group": { "id": "'$ResourceGroupId'"  }, \
          "storage_bucket": { "name": "'$COSbucket'" }, \
          "target": { "id": "'$VsiId'" } \
          }' | jq
    

Next steps