AWS VPC Flow Logs
AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/cloud-aws-vpc-flow/generator.yml \
--id vpcflow \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| accepted-tcp | TCP ACCEPT — web, SSH, database traffic | ~53% | network |
| accepted-udp | UDP ACCEPT — DNS, NTP, syslog | ~16% | network |
| accepted-tcp-bulk | High-volume TCP transfers (S3, API) | ~11% | network |
| rejected-tcp | Security group denies, port scans | ~8% | network |
| nodata | No traffic on interface during interval | ~5% | network |
| rejected-udp | Blocked DNS probes, SNMP scans | ~3% | network |
| accepted-icmp | Ping, traceroute, path MTU discovery | ~2% | network |
| rejected-icmp | Blocked external pings, ICMP probes | ~1% | network |
| skipdata | Internal capacity skip during aggregation | ~1% | network |
Realism Features
- Weighted port distributions — HTTPS dominates at ~35%, followed by DNS, HTTP, SSH, and 17 other services
- Lognormal traffic volumes — packets and bytes follow lognormal distributions; bulk transfers produce 10KB–500MB flows
- Network direction detection — classifies flows as inbound, outbound, internal, or external based on RFC 1918 analysis
- Multi-account environment — 3 AWS accounts (production, staging, development) across 5 regions
- 15 network interfaces spanning 3 VPCs with EC2, NAT gateway, ALB, Lambda, and ECS task ENI types
- Raw log preservation — event.original contains the v2 space-delimited format matching CloudWatch/S3 delivery
Sample Output
{
"@timestamp": "2026-03-04T14:22:31+00:00",
"cloud": {
"account": { "id": "123456789012", "name": "acme-production" },
"availability_zone": "use1-az2",
"provider": "aws",
"region": "us-east-1"
},
"event": {
"action": "accept",
"category": ["network"],
"dataset": "aws.vpcflow",
"outcome": "success",
"type": ["connection", "allowed"]
},
"network": {
"bytes": 18560,
"direction": "outbound",
"iana_number": "6",
"transport": "tcp"
},
"source": { "ip": "10.0.1.47", "port": 49832 },
"destination": { "ip": "52.94.233.17", "port": 443 }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| agent_id | c4d5e6f7-... | Filebeat agent UUID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
AWS CloudTrail Management Events
AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.
AWS GuardDuty Findings
AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.
Azure Activity Log
Azure Monitor Activity Log — control plane operations across VMs, storage, networking, and RBAC. Covers all 7 log categories: Administrative, Security, Service Health, Alert, Autoscale, Policy, and Recommendation.