Creates a flow log.
Operation description
Flow logs can be used to capture traffic information about transit routers and network instance connections, including inter-region connections, virtual private cloud (VPC) connections, VPN connections, Express Connect Router (ECR) connections, and virtual border router (VBR) connections. Before you create a flow log, take note of the following items:
-
Flow logs are supported only by Enterprise Edition transit routers.
-
Flow logs are used to capture information about outbound traffic on transit routers. Information about inbound traffic on transit routers is not captured.
For example, an Elastic Compute Service (ECS) instance in the US (Silicon Valley) region accesses an ECS instance in the US (Virginia) region through Cloud Enterprise Network (CEN). After you enable the flow log feature for the transit router in the US (Virginia) region, you can check the log entries about packets sent from the ECS instance in the US (Virginia) region to the ECS instance in the US (Silicon Valley) region. However, packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region are not recorded. If you want to record the packets sent from the ECS instance in the US (Silicon Valley) region to the ECS instance in the US (Virginia) region, you must also enable the flow log feature on the transit router that is in the US (Silicon Valley) region.
-
If you use a flow log to capture traffic information about VPC connections, the flow log captures information only about traffic on the elastic network interface (ENI) of the transit router. For more information about how to view traffic information about other ENIs in the VPC, see VPC flow log overview.
-
CreateFlowLog
is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call theDescribeFlowlogs
operation to query the status of a flow log.- If the flow log is in the Creating state, the flow log is being created. In this case, you can query the flow log but cannot perform other operations.
- If the flow log is in the Active state, the flow log is created.
Prerequisites
Required resources are created. For more information about how to create resources, see the following topics:
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
cen:CreateFlowlog | create | *All Resources * |
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among all requests. The token can contain only ASCII characters. Note
If you do not set this parameter, ClientToken is set to the value of RequestId. The value of RequestId for each API request may be different.
| 123e4567-e89b-12d3-a456-42665544**** |
RegionId | string | Yes | The ID of the region where the flow log is deployed. You can call the DescribeChildInstanceRegions operation to query the most recent region list. | cn-hangzhou |
FlowLogName | string | No | The flow log name. The name can be empty or 1 to 128 characters in length, and cannot start with http:// or https://. | myFlowlog |
Description | string | No | The description of the flow log. The description is optional. If you enter a description, it must be 1 to 256 characters in length, and cannot start with http:// or https://. | myFlowlog |
CenId | string | Yes | The ID of the CEN instance. | cen-7qthudw0ll6jmc**** |
ProjectName | string | Yes | The project that stores the captured traffic data.
| FlowLogProject |
LogStoreName | string | Yes | The Logstore that stores the captured traffic data.
| FlowLogStore |
Interval | long | No | The time window for collecting log data. Unit: seconds. Valid values: 60 and 600. Default value: 600. | 600 |
TransitRouterAttachmentId | string | No | The ID of the VPC connection, VPN connection, VBR connection, ECR connection, or inter-region connection. If you create the flow log for a transfer router, skip this parameter. | tr-attach-r6g0m3epjehw57**** |
TransitRouterId | string | No | The ID of the transit router. | tr-bp1rmwxnk221e3fas**** |
LogFormatString | string | No | The strings that define the fields in the flow log. Format:
| ${srcaddr}${dstaddr}${bytes} |
Tag | array<object> | No | The tags. You can specify at most 20 tags. | |
object | No | The tags. You can specify at most 20 tags. | ||
Key | string | No | The tag keys. The tag keys cannot be an empty string. The tag keys can be up to 64 characters in length. The tag keys cannot start with You can specify at most 20 tag keys in each call. | TagKey |
Value | string | No | The tag values. The tag values can be an empty string or up to 128 characters in length. The tag values cannot start with Each key-value must be unique. You can specify at most 20 tag values in each call. | TagValue |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "54B48E3D-DF70-471B-AA93-08E683A1B457",
"Success": "true",
"FlowLogId": "flowlog-m5evbtbpt****"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | ProjectOrLogstoreNotExist | The specified project or logstore does not exist. | The error message returned because the specified project or Logstore does not exist. |
400 | SourceProjectNotExist | The Source Project or logstore does not exist. | The error message returned because the specified source project or Logstore does not exist. |
400 | OperationUnsupported.action | This action is not support. | The error message returned because this operation is not supported in the specified region. |
400 | RuleExist | The rule has already existed. | The rule already exists. |
400 | QuotaExceeded.FlowlogCount | This user has reached the maximum instance number of flowlog. | The error message returned because the number of flow logs has reached the upper limit. |
400 | InvalidFlowlogId.exist | This cenId already has flowlog instance existed. | The error message returned because the specified CEN instance is already associated with a flow log. |
400 | Flowlog.AlreayExist | This attachment already has existed flowlog instance. | The error message returned because the specified flow log already exists. You cannot create duplicate flow logs. |
400 | IllegalParam.TransitRouterAttachmentId | TransitRouterAttachmentId is illegal. | The error message returned because the specified transit router is invalid. |
400 | InvalidTransitRouterAttachmentId.NotFound | The TransitRouterAttachmentId is not found. | The error message returned because the specified transit router attachment ID (TransitRouterAttachmentId) does not exist. |
400 | IncorrectStatus.flowlog | This action is not allowed in the current flow log status. | This action is not allowed in the current flow log status. |
400 | InvalidOperation.TransitRouterNotExist | Operation is invalid because the transit router not exist. | The error message returned because the specified transit router does not exist. |
400 | IncorrectStatus.TransitRouterAttachmentId | The resource is not in a valid state for the attachment operation. | The error message returned because the operation is not supported when the specified attachment is in an unstable state |
400 | ProjectExist | Project already exist, please try a different project name. | The log Project already exists, try a different Project name. |
400 | InvalidParameter.ProjectName | Project name is invalid or does not belong to specified region. | The Project name is illegal or does not belong to the specified region. |
400 | IncorrectStatus.TrFlowlog | Flowlog status for specified TransitRouter is invalid for this operation. | Flowlog status for specified TransitRouter is invalid for this operation. |
400 | OperationInvalid.IncompatibleFlowlogExist | Operation is invalid because incompatible flowlog config exists. | There are incompatible Flowlog configurations, please delete and try again. |
400 | InvalidParameter.LogFormatString | LogFormatString is invalid. | The specified log format is invalid. |
400 | InvalidParameter.LogStoreName | Specified LogStore name is invalid. | Logstore name is invalid. |
400 | InvalidParameter.ProjectName | ProjectName is invalid. | Project name is invalid. |
400 | OperationFailed.InvalidLogInfo | The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated. | The entered log service information is invalid. Check whether the ProjectName and LogStoreName are correct, and whether Log Service has been activated. |
400 | InvalidParameter | Invalid parameter. | The error message returned because the parameter is set to an invalid value. |
400 | Unauthorized | The AccessKeyId is unauthorized. | The error message returned because you do not have the permissions to perform this operation. |
403 | NoPermission.AliyunServiceRoleForTRFlowLog | You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog. | You are not authorized to create service linked role AliyunServiceRoleForTRFlowLog. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-11-22 | API Description Update. The Error code has changed | View Change Details |
2024-11-14 | The Error code has changed. The request parameters of the API has changed | View Change Details |
2024-07-02 | The Error code has changed | View Change Details |
2024-05-22 | The Error code has changed | View Change Details |
2023-01-03 | The Error code has changed | View Change Details |