IBM Cloud: VPCのFlow Logsを試してみた

1. はじめに

IBM CloudのVPC Gen2でFlow LogsがGAされているため、試してみました。
https://cloud.ibm.com/docs/vpc?topic=vpc-flow-logs
https://cloud.ibm.com/docs/vpc?topic=vpc-fl-analyze

主な特徴は以下の通りです。

• Network Interface(vNIC)に対してアクセスログを取得する
• 取得範囲を指定できる。
  • VPC内のすべてのNetwork Interfaceに対してアクセスログを取得
  • Subnet内のすべてのNetwork Interfaceに対してアクセスログを取得
  • Instance(VSI)のすべてのNetwork Interfaceに対してアクセスログを取得
  • 特定のNetwork Interfaceに対してアクセスログを取得
• 取得したアクセスログはICOS(IBM Cloud Object Storage)に保管する。
• 多層的に設定することは可能だが、その場合はより粒度の細かい設定が優先する。有効なユースケースとしては、以下が考えられる。
  • VPCレベルでFlow Logsを取得し、ICOS Bucket1に保管する。
  • Public Subnetなどの注視すべき範囲に対しては、別途ICOS Bucket2に保管する。
  • Trobule Shooting用に、特定のVSIに対してはICOS Bucket3に保管する。
• TCP/UDPがサポートされています。ICMPは現在未サポートです。
• 5分置き、もしくは100KBに達した時点でICOSに保管されます。

2. ICOSの設定

ICOSがVPCからアクセスできるように、IAMの設定をします。
https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-flow-log-collector#fl-before-you-begin

Manage -> Access(IAM) -> Authorizationsから以下のように権限を付与します。

3. Flow Logsの設定

https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-flow-log-collector#fl-ordering-ui

前項でICOSへのIAM設定をしたため、Flow Logsの保管先が指定できるようになっていいます。

4. ログを確認してみる。

確かにICOSに保管されています。

が、、、階層が深い・・・

以下によると、
ibm_vpc_flowlogs_v1/account={account}/region={region}/vpc-id={vpc-id}/subnet-id={subnet-id}/endpoint-type=vnics/instance-id={vsi-id}/vnic-id={vnic-id}/record-type={all|ingress|egress|internal}/year={xxxx}/month={yy}/day={zz}/hour={hh}/stream-id={stream-id}/{sequence-number}.gzというフォーマットになっているようです。
https://cloud.ibm.com/docs/vpc?topic=vpc-fl-analyze#flow-log-object-format

このファイルを展開すると、、、jsonファイルなのでそのままでは可読性が低いため、jqコマンドで整形します。すると、、、09:00前後の5分間に38件アクセスがありましたが、すべて不明なアドレスからのアクセスであり、それらがブロックされていることがわかります。target_ipがVSIのprivate IPなので、実際にはどのGlobal IPに対してアクセスしているかはFloating IPとの比較をする必要があります。

$ cat 00000002 | jq
{
  "version": "0.0.1",
  "collector_crn": "crn:v1:bluemix:public:is:us-south:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx::flow-log-collector:r006-18597fe0-a324-40ee-9ade-bc3e3fcd3998",
  "attached_endpoint_type": "vnic",
  "network_interface_id": "0717-315e4fce-c142-41a8-9f50-1b09b6865db8",
  "instance_crn": "crn:v1:bluemix:public:is:us-south-1:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx::instance:0717_2c155a6b-c737-4050-9278-9f954941ad18",
  "vpc_crn": "crn:v1:bluemix:public:is:us-south:a/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx::vpc:r006-0d78cc86-87f6-4fe2-b0c7-ca603862d178",
  "capture_start_time": "2020-07-26T23:58:45Z",
  "capture_end_time": "2020-07-27T00:03:45Z",
  "state": "ok",
  "number_of_flow_logs": 38,
  "flow_logs": [
    {
      "start_time": "",
      "end_time": "",
      "connection_start_time": "2020-07-26T23:57:23Z",
      "direction": "I",
      "action": "rejected",
      "initiator_ip": "185.156.73.67",
      "target_ip": "10.240.0.7",
      "initiator_port": 53424,
      "target_port": 5242,
      "transport_protocol": 6,
      "ether_type": "IPv4",
      "was_initiated": false,
      "was_terminated": true,
      "bytes_from_initiator": 0,
      "packets_from_initiator": 0,
      "bytes_from_target": 0,
      "packets_from_target": 0,
      "cumulative_bytes_from_initiator": 54,
      "cumulative_packets_from_initiator": 1,
      "cumulative_bytes_from_target": 0,
      "cumulative_packets_from_target": 0
    },
    {
      "start_time": "2020-07-26T23:59:25Z",
      "end_time": "2020-07-26T23:59:25Z",
      "connection_start_time": "2020-07-26T23:59:25Z",
      "direction": "I",
      "action": "rejected",
      "initiator_ip": "85.93.20.247",
      "target_ip": "10.240.0.7",
      "initiator_port": 8080,
      "target_port": 13845,
      "transport_protocol": 6,
      "ether_type": "IPv4",
      "was_initiated": true,
      "was_terminated": true,
      "bytes_from_initiator": 54,
      "packets_from_initiator": 1,
      "bytes_from_target": 0,
      "packets_from_target": 0,
      "cumulative_bytes_from_initiator": 54,
      "cumulative_packets_from_initiator": 1,
      "cumulative_bytes_from_target": 0,
      "cumulative_packets_from_target": 0
    },
（途中略）
  ]
}

以下のように、適宜整形すると良いでしょう。

# cat 00000002 | jq -r '.flow_logs[] | [.connection_start_time, .initiator_ip, .target_ip, .target_port, .direction, .action ] | @csv'|sort
"2020-07-26T23:56:52Z","103.145.12.97","10.240.0.7",5060,"I","rejected"
"2020-07-26T23:56:54Z","5.44.197.24","10.240.0.7",443,"I","rejected"
"2020-07-26T23:56:57Z","185.176.27.34","10.240.0.7",15786,"I","rejected"
"2020-07-26T23:57:23Z","185.156.73.67","10.240.0.7",5242,"I","rejected"
"2020-07-26T23:57:24Z","94.53.166.68","10.240.0.7",88,"I","rejected"
"2020-07-26T23:57:32Z","222.186.61.19","10.240.0.7",6666,"I","rejected"
"2020-07-26T23:57:34Z","185.176.27.26","10.240.0.7",15794,"I","rejected"
"2020-07-26T23:57:51Z","185.176.27.14","10.240.0.7",15796,"I","rejected"
"2020-07-26T23:58:03Z","172.93.4.78","10.240.0.7",16880,"I","rejected"
"2020-07-26T23:59:00Z","45.129.33.2","10.240.0.7",40040,"I","rejected"
"2020-07-26T23:59:07Z","185.176.27.34","10.240.0.7",15787,"I","rejected"
"2020-07-26T23:59:15Z","103.114.104.142","10.240.0.7",32614,"I","rejected"
"2020-07-26T23:59:15Z","109.103.100.197","10.240.0.7",23,"I","rejected"
"2020-07-26T23:59:25Z","85.93.20.247","10.240.0.7",13845,"I","rejected"
"2020-07-26T23:59:25Z","92.63.196.28","10.240.0.7",62883,"I","rejected"
"2020-07-26T23:59:30Z","87.251.74.200","10.240.0.7",7989,"I","rejected"
"2020-07-26T23:59:31Z","103.114.104.142","10.240.0.7",10486,"I","rejected"
"2020-07-26T23:59:47Z","103.114.104.142","10.240.0.7",27340,"I","rejected"
"2020-07-26T23:59:55Z","185.176.27.102","10.240.0.7",15789,"I","rejected"
"2020-07-27T00:00:10Z","103.114.104.142","10.240.0.7",32821,"I","rejected"
"2020-07-27T00:00:10Z","194.26.29.170","10.240.0.7",1546,"I","rejected"
"2020-07-27T00:00:34Z","194.26.29.170","10.240.0.7",1604,"I","rejected"
"2020-07-27T00:00:58Z","194.26.29.170","10.240.0.7",1661,"I","rejected"
"2020-07-27T00:01:09Z","89.248.168.217","10.240.0.7",5051,"I","rejected"
"2020-07-27T00:01:16Z","46.101.206.205","10.240.0.7",24114,"I","rejected"
"2020-07-27T00:01:28Z","58.218.56.94","10.240.0.7",5900,"I","rejected"
"2020-07-27T00:01:35Z","185.176.27.26","10.240.0.7",15793,"I","rejected"
"2020-07-27T00:01:40Z","138.197.89.186","10.240.0.7",22497,"I","rejected"
"2020-07-27T00:01:41Z","146.88.240.4","10.240.0.7",3283,"I","rejected"
"2020-07-27T00:01:52Z","185.217.0.187","10.240.0.7",123,"I","rejected"
"2020-07-27T00:01:54Z","194.26.29.170","10.240.0.7",1899,"I","rejected"
"2020-07-27T00:02:20Z","87.251.74.224","10.240.0.7",52346,"I","rejected"
"2020-07-27T00:02:25Z","211.118.42.219","10.240.0.7",54222,"I","rejected"
"2020-07-27T00:02:46Z","194.26.29.170","10.240.0.7",1709,"I","rejected"
"2020-07-27T00:03:01Z","124.235.118.14","10.240.0.7",6381,"I","rejected"
"2020-07-27T00:03:04Z","107.6.171.130","10.240.0.7",6000,"I","rejected"
"2020-07-27T00:03:18Z","159.203.74.227","10.240.0.7",31573,"I","rejected"
"2020-07-27T00:03:19Z","45.129.33.9","10.240.0.7",3869,"I","rejected"