Oracle Cloud Infrastructure VCN flow logs¶

With OCI Virtual Cloud Network (VCN) flow log ingestion enabled, Plixer Scrutinizer is able to monitor and report on traffic associated with specified Oracle Virtual Network Interface Cards (VNICs).

This section covers the prerequisites and setup/configuration steps for OCI VCN flow log ingestion.

Setting up the OCI flow log stream

VCN flow log ingestion in Plixer Scrutinizer uses the OCI streaming service as the log data source. After being downloaded from a stream, the log data is forwarded to one or more specified collectors as regular flows.

To set up the flow log stream, follow these steps:

  1. Create a new stream in any stream pool to publish the flow logs to.

  2. Enable flow logs for the VCN, subnet, or VNICs.

  3. Configure a new service connector as follows:

    • Source: Compartment, log group, and name associated with the logs enabled in step 2.

    • Target: Compartment and name associated with the stream created in step 1.

  4. Create/provision an IAM group with the use stream-pull permission and add a user to the group (or select an existing user).

  5. Generate an API signing key pair for the user and download the private key as described here.

  6. Get the private key fingerprint using this command.

Verify that the flow logs are correctly being published to the stream, and then proceed to configuring Plixer Scrutinizer to download/ingest the log data.

Note

If the key pair was not generated via the OCI console, the public key will need to be uploaded for the user.

Configuring OCI VCN flow log ingestion in Plixer Scrutinizer

Once the OCI stream has been successfully configured, it can be added to Plixer Scrutinizer as a flow log source as follows:

  1. Navigate to Admin > Integrations > Flow Log Ingestion in the web interface.

  2. Click the + icon, and then select Oracle Cloud Streams in the tray.

  3. Enter the following details in the secondary tray:

    • Enter a name to identify the stream/source by.

    • Select the Plixer Scrutinizer servers to use as log downloader(s) and collector(s) for the stream (the primary reporter of a distributed cluster is not recommended for either role).

    • Enter the URL for the stream pool containing the flow log stream.

    • Enter the OCID of the stream receiving the VCN flow logs.

    • Enter the OCID of the OCI tenancy.

    • Enter the OCID of the user to be used to access the streams (must have the required permissions).

    • Enter the fingerprint of the private API signing key generated for the user.

    • Enter the passphrase associated with the private key (leave blank if no passphrase was used when the key was generated)

    • Enter the private key in PEM format.

    • Enter the name of the home region of the tenancy.

  4. Click the Save button to add the stream with the current settings.

Once added, the stream will be listed in the main Admin > Integrations > Flow Log Ingestion view under the configured name. An exporter associated with VCN will also be added to the device lists for Plixer Scrutinizer’s various functions (Flow Analytics, network maps, reports, etc.).

Note

  • After a stream configuration has been saved, click on the name assigned to it in the main view to open the settings tray, and use the Test button to confirm that Plixer Scrutinizer is able to establish a connection to the stream with the credentials entered.

  • To verify that an OCI VCN flow log source has been successfully added, look for an exporter whose hostname matches the VCN in the Explore > Exporters > By Exporters view or the Admin > Resources > Manage Exporters page (after ~1 hour).

  • Flow log ingestion processes are divided between the log downloader (downloads the flow logs from the stream) and the flow collector (collects and processes the downloaded logs). A different Plixer Scrutinizer server can be used for each role, and a single stream can have multiple downloaders and collectors.