Last updated: May 23, 2026
Flow Logs
Flow Logs give you a passive, aggregated view of the network traffic moving between your services. Each row tells you, for a recent time window, how much traffic flowed from one workload owner to another.
This is the surface you use when you need to answer questions like:
- “Is this service actually talking to anyone right now?”
- “Did traffic suddenly start flowing between two projects that shouldn’t be connected?”
- “Which workload is the busiest source right now?”
What a flow row contains
Each row aggregates traffic over a short time window:
| Field | What it tells you |
|---|---|
| Source | The workload that originated the traffic, mapped back to your project and service. |
| Destination | The workload that received the traffic, mapped back to your project and service. |
| Rate | Bytes per second over the selected window. |
| Direction | Whether the flow is internal (same project) or cross-project. |
| Finding | A link to a related security finding, if one exists for this flow. Most rows have none. |
Each row carries only those five fields. Rows never include payloads, IPs, or ports, and they never include URLs, HTTP methods, or statuses. For per-request data with status codes and latency, see Traces. Flow Logs report byte rates between workloads.
Time windows
Flow Logs operate on short bounded windows: 15m, 1h, and 6h. Pick the window for the question you’re answering:
- 15m, current behavior. What’s happening right now?
- 1h, recent history. Did something change in the last hour?
- 6h, short-term patterns. What’s typical over the last quarter day?
For longer-term traffic patterns, use Topology and the project Observatory.
Scopes
You can read Flow Logs at three scopes:
- Account, every flow across every project you own.
- Project, flows where the source or destination is inside one specific project.
- Service, flows where the source or destination is one specific service.
Cross-project and cross-account flows are visible only from accounts you own. Guara never shows you traffic that doesn’t belong to your account.
When findings appear
Most Flow Logs rows are pure context, the normal, healthy chatter of your services. Some rows attach a flow log security finding when Shield’s correlation rules see something worth your attention. Examples:
- Traffic suddenly appearing between two projects that have never talked to each other before.
- A workload that just went public starting to receive cross-project traffic that previously never reached it.
Rows without a finding link are observability, not alerts. The finding link only appears when Shield has a specific, named reason to flag the row.
Where Flow Logs live
Flow Logs have their own surface inside Guara Shield at /security/guara-shield/flow-logs. You can scope to a specific project from the project’s Security tab, or to a specific service from the service’s Security tab.
Privacy by design
Flow Logs are explicitly designed so that no row can leak business or personal data:
- Aggregation is workload-to-workload, not user-to-user.
- No payloads ever cross from observability into Shield.
- No external endpoints are named beyond the owner labels Shield can attribute to your own resources.
If a flow can’t be attributed back to a workload you own, it isn’t shown.
Where to go next
- For a visual map of how your services connect: Topology and Observatory.
- For per-request data including status codes and latency: Traces.
- For service-level network configuration: Service networking.
- To triage findings linked from flow rows: Security Findings.