[AWS VPC Flow] Support newer VPC log formats

[jamiehynds]

Our current VPC flow log integration supports version 5, which is now outdated. AWS has since released versions 6 and 7, introducing new metadata fields for Transit Gateway and ECS workloads. To stay current and provide more complete visibility, our integration should be updated to support and normalize these additional fields where applicable.

Version 6
This was introduced to provide enhanced visibility for AWS Transit Gateway (TGW) flows. It adds 18 new fields related to TGW-specific metadata, making it easier to analyze traffic that crosses and connects through Transit Gateway architectures

Version 7
This version was introduced to surface metadata for workloads running on Amazon Elastic Container Service (ECS). It adds 10 new ECS-specific fields, including:

ecs-cluster-arn, ecs-cluster-name
ecs-task-id, ecs-task-arn
ecs-task-definition-arn, ecs-service-name
ecs-container-id, ecs-second-container-id

Can we please update our integration with VPC flow to ensure we're up to date with the latest formats, and claim support for v6 and v7 log formats.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[ShourieG]

Attaching the official amazon doc for field references

• The official doc can be found here.
• Transit Gateway additions (v6)
• New ECS fields (v7)

A small rundown of the necessary steps for upgrading from v5 to v6 & v7

Version 6: Transit Gateway Visibility

Version 6 introduces 18 new fields for AWS Transit Gateway (TGW).

Field Name	Description
tgw-id	The ID of the Transit Gateway that handled the flow.
tgw-attachment-id	The ID of the Transit Gateway attachment (e.g., VPC, VPN, DX, or Peering).
tgw-src-vpc-account-id	AWS account ID of the source VPC.
tgw-dst-vpc-account-id	AWS account ID of the destination VPC.
tgw-src-vpc-id	The ID of the source VPC.
tgw-dst-vpc-id	The ID of the destination VPC.
tgw-src-subnet-id	The subnet ID associated with the source of the traffic.
tgw-dst-subnet-id	The subnet ID associated with the destination of the traffic.
tgw-src-eni	The ENI (Elastic Network Interface) ID on the source side of the attachment.
tgw-dst-eni	The ENI ID on the destination side of the attachment.
tgw-src-az-id	Availability Zone ID for the source attachment.
tgw-dst-az-id	Availability Zone ID for the destination attachment.
tgw-pair-attachment-id	The paired ingress/egress attachment ID for the flow (depends on flow direction).
packets-lost-no-route	Number of packets dropped because no route was found.
packets-lost-blackhole	Number of packets dropped due to a black hole route.
packets-lost-mtu-exceeded	Number of packets dropped because they exceeded the MTU.
packets-lost-ttl-expired	Number of packets dropped because their TTL expired.
resource-type	Indicates whether the record is for a Transit Gateway or a Transit Gateway Attachment.

---

Version 7: Amazon ECS Workloads

Version 7 adds 10 new fields focused on Amazon Elastic Container Service (ECS).

Field Name	Description
ecs-cluster-arn	ARN of the ECS Cluster if the traffic comes from a running ECS Task.
ecs-cluster-name	Name of the ECS Cluster if the traffic comes from a running ECS Task.
ecs-container-instance-arn	ARN of the ECS Container Instance (for tasks using EC2 launch type).
ecs-container-instance-id	ID of the ECS Container Instance (for EC2 launch type).
ecs-container-id	Docker runtime ID of the container (first container in the task).
ecs-second-container-id	Docker runtime ID of the second container in the task, if present.
ecs-service-name	Name of the ECS Service if the task is started by a service.
ecs-task-definition-arn	ARN of the ECS Task Definition for the running task.
ecs-task-arn	ARN of the ECS Task generating the flow.
ecs-task-id	ID of the ECS Task generating the flow.

[andrewkroh]

The parse_aws_vpc_flow_log Beats processor has ECS (Elastic Common Schema) mappings for some of those v6-v8 fields. We should strive to map them the same way in the Fleet integration's pipeline.

https://github.com/elastic/beats/blob/main/docs/reference/filebeat/processor-parse-aws-vpc-flow-log.md#ecs-_ecs

[moxarth-rathod]

@jamiehynds do we have the sample logs available for the testing purpose?

[jamiehynds]

I don't @moxarth-rathod - they'll have to be manually generated.

[moxarth-rathod]

I don't @moxarth-rathod - they'll have to be manually generated.

No worries, we'll look into this and try to generate the logs manually.