Send VPC flow logs to Lumi

The VPC flow log integration guides you through the process to send Amazon Virtual Private Cloud (VPC) flow logs to Imply Lumi.

The integration walks you through choosing and configuring a transport-based integration: S3 pull, Splunk® httpout, or Splunk HEC. Because it's simple to configure AWS to send VPC flows to an S3 bucket, S3 pull is a popular option.

When you configure an IAM key for the integration, Lumi automatically sets the Source type IAM key attribute to aws:cloudwatchlogs:vpcflow. This creates the sourcetype user attribute if the event doesn't already have it. The sourcetype assignment ensures that incoming events enter the predefined pipeline for VPC flow logs. For details about IAM key attributes, see IAM key attribute reference.

The rest of the steps for the VPC flow log integration are exactly the same as those for the transport integration you choose. See Send events with S3 pull, Send events with S2S for httpout, or Send events with Splunk HEC depending on your use case.

After you finish and VPC flow log events begin to flow, Lumi stores the parsed events for use in your observability workflows.

Learn more

See the following topics for more information:

• VPC flow logs predefined pipeline for details on VPC flow log processing.
• Send events for information on transport mechanism integrations.