We’re pleased to announce the general availability of VCN flow logs for Oracle Cloud Infrastructure (OCI). With this service, you can view connection information for traffic within and to and from your virtual cloud network (VCN).
We’re announcing this release as a joint general availability with our Oracle Cloud Infrastructure Logging service.
VCN flow logs keep detailed metadata records of every flow that passes through your VCN and presents this data for analysis in the Oracle Cloud Infrastructure Logging service. This data includes information about the source and destination of the traffic, along with the volume of traffic and the accept or reject policy action taken, based on your network security rules. You can use this information for network monitoring, troubleshooting, and compliance. Through native cloud integration with the Logging service, you can view, search, export, and stream log files to your on-premise SIEM.
ACCEPT TCP 172.21.2.185 Port 43360 → 220.127.116.11 Port 443 Bytes 10515 Packets 19
ACCEPT TCP 18.104.22.168 Port 443 → 172.21.2.185 Port 43360 Bytes 5548 Packets 14
VCN flow logs support all resources in your subnet. The resources include not only Compute instances, but service private endpoints, LBaaS, PaaS services, and other future items in your VCN.
With this product, we’re also excited to introduce data export and streaming options for ingestion of your flow logs. Through Logging service connectors, you can archive logs to object storage to meet compliance and data retention needs or stream in under 10 minutes to your SIEM or log management platform. We also support alarming on event data to meet your alerting needs, in addition to the built-in log search capabilities of the Console.
A structured JSON format powers everything for data interchange, which allows easy integration with both existing log management platforms and other Oracle Cloud Infrastructure services.
Use VCN flow logs in the following use cases.
You can use flows logs for troubleshooting and monitoring. Flow logs show attempts to connect to your database from your on-premises environment, as shown in the following figure. Logs also show whether security rules allow or deny the traffic. You can use this information to make quick, informed decisions about managing your network resources, such as capacity-planning and network security response.
You can now achieve regulatory, compliance, and other governance requirements previously only achievable through third-party network virtual appliances or host-based agents. Through the visibility afforded by VCN flow logs and flexible data-retention options provided by the Logging export, you can meet requirements in financial, healthcare, and other regulated industries.
Through the Logging service, you can enable, view, and manage your flow log configuration.
In the navigation menu in the Console, go to Logging and click Log Management.
Create a log group to store your Flow Logs configuration.
On the Log Groups tab, click Create Log Group. Enter a name and a description, and then click Create.
Enable flow logs on your subnet.
On the Logs tab, click Enable Log. Select the Flow Logs service, and select your subnet as the resource. Enter a name for the log, and click Enable Log.
That’s it! Within minutes, your logs should become available.
Alternatively, we’ve also enabled the ability to enable flow logs through the Logging tab on your subnet, which redirects you to the same workflow.
You can access your logs from the Oracle Cloud Logging Search experience. You can also set up advanced scenarios to export to Object Storage or stream through the Streaming service to your Apache Kafka compatible endpoint.
The export and stream solutions are covered in deeper detail in the documentation. We go over the Console search experience, which is all you need to get started!
You can view and search VCN flow logs directly within the Logging service’s Console-based viewer. This view provides an easy-to-use, indexed repository of your recent logs. To access the Logging viewer, navigate to Logging and then Log Search in the Console.
You can also filter and visualize your data. You can use attributes such as security rule action, IP address, port, and more to create relevant queries and multiple visualization options exist.
In this example, I type “data” into the filter box and receive the following options:
To simulate an unauthorized internet user trying to reach your instance, I wrote a query showing all rejected connection attempts to my server at address 10.0.0.3 through a filter and visualized the results based on source IP.
With the Logging Service Connector feature, you can export flow logs to Object Storage. Take advantage of low-cost archives of your logs with retention based on life-cycle policies for your bucket by following these instructions. You can retrieve the files for later analysis or retain them indefinitely.
As part of the Splunk Technical Alliance Partnership, we’ve published integrations to allow customers to stream VCN flow logs to their on-premises or Splunk Cloud platform. We have a tech note detailing the setup process and an overview blog on this integration.
If you utilize Oracle OMC, you can also now stream logs into your on-premise platform following the instructions here.
Want to integrate into your own SIEM or logging management solution? We have you covered. You can stream flow logs to any Oracle Cloud Infrastructure Streaming or Apache Kafka compliant endpoint. You can even send it to an Autonomous Database.
Thank you for your interest in VCN flow logs. On behalf of the Virtual Networking product team, we encourage you to share any product feedback that you have in the comments.