13.04.2020

FastNetMon and Google Compute GCE VPC Flow logs

FastNetMon can ingest data from Google’s VPC Flow logs easily. Let’s start from required configuration steps on GCE side.

You need to open VPC Networks and enable VPC Flow logs for all required regions. We will use europe-west3 as example. Open VPC configuration and then select Edit and enable flag for “Flow logs”, select Aggregation interval “5” seconds, select flag “Include metadata” and select sample rate 50%.

After saving changes your will see “View flow logs” link on VPC, click on it to confirm that you receive flow entries for particular VPC. You will see entries like these if it was enabled properly:

As next step we need to export flow entries into Pub/Sub interface to process them from FastNetMon. On top panel you need to select “Create Sink”.

After that, on right panel specify name “fastnetmon_eu_west3_sub_sub_export”, Sink Service “Pub/Sub” and in field “Sink destination” select “Create New Cloud Pub Sub topic” with name “fastntemon_eu_west3_topic” and click on “Create sink”.

We’re ready to read VPC flow data from this Pub/Sub topic and we need to have compute instance with access to Pub/Sub for reading. Open configuration for your existing VM, stop it and then click on Edit and wait for machine shutdown. After shutdown, you need to find “Access scopes” and select “Set access for each API” and set flag enable for “Cloud Pub/Sub”. After that, save and start VM.

As next step, please enable Tera Flow plugin in FastNetMon:

sudo fcli set main tera_flow enable
sudo fcli set main tera_flow_host 0.0.0.0
sudo fcli set main tera_flow_ports 8104
sudo fcli commit

To convert data from VPC Flow log format you will need to download this tool. After downloading, please specify executable flag for it. You need to run this tool on GCE to have access to Pub/Sub.

chmod +x gce_flow_logs_processor

And run using following syntax:

./gce_flow_logs_processor -topic_id fastntemon_eu_west3_topic -tera_flow_server 127.0.0.1:8104

After these steps, you will see lots of log entries about traffic and in same time this information will be exported to FastNetMon. You need to keep this intermediate daemon running all the time to feed data into FastNetMon, you can use screen session or run it as daemon.