Posted in

Query packets in AWS CloudWatch | AWS

To query the received and sending packets with specific source and/or destination IP addresses from the tunnel logs in CloudWatch, you can use CloudWatch Logs Insights. Here's a general outline of how you can construct your query:

filter @logStream like 'your-tunnel-log-stream-prefix'
| parse @message '* from_ip="*" to_ip="*" sent_packets=* received_packets=*' as from_ip, to_ip, sent_packets, received_packets | filter from_ip = 'your_source_ip' or to_ip = 'your_destination_ip' | project from_ip, to_ip, sent_packets, received_packets

Here's what each part of the query does:

  1. filter @logStream like 'your-tunnel-log-stream-prefix': Filters the logs to only include the log streams that match the specified prefix. Replace 'your-tunnel-log-stream-prefix' with the prefix of your log stream names.

  2. parse @message '* from_ip="*" to_ip="*" sent_packets=* received_packets=*' as from_ip, to_ip, sent_packets, received_packets: Parses the fields from_ip, to_ip, sent_packets, and received_packets from the log message. Adjust the parsing pattern according to your log format if necessary.

  3. filter from_ip = 'your_source_ip' or to_ip = 'your_destination_ip': Filters the log entries to only include those where the source IP matches 'your_source_ip' or the destination IP matches 'your_destination_ip'.

  4. project from_ip, to_ip, sent_packets, received_packets: Projects the selected fields (from_ip, to_ip, sent_packets, received_packets) for the final output.

Replace 'your_source_ip' and 'your_destination_ip' with the IP addresses you want to filter for. Adjust the parsing pattern in the parse statement based on your actual log format.

Once you have your query ready, you can run it in the CloudWatch Logs Insights console or via the AWS CLI/API, depending on your preference. This will give you the relevant logs that match your criteria.

Leave a Reply

Your email address will not be published. Required fields are marked *