Manage NSG flow logs using the Azure CLI

  • Article

Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.

In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI. You can learn how to manage an NSG flow log using the Azure portal, PowerShell, REST API, or ARM template.

Prerequisites

Register Insights provider

Microsoft.Insights provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the Microsoft.Insights provider is registered, use az provider register to register it.

# Register Microsoft.Insights provider.
az provider register --namespace 'Microsoft.Insights'

Create a flow log

Create a flow log using az network watcher flow-log create. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.

# Create a version 1 NSG flow log.
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount'

Note

  • If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
  • If the storage account is in a different resource group or subscription, you must specify the full ID of the storage account instead of only its name. For example, if myStorageAccount storage account is in a resource group named StorageRG while the network security group is in the resource group myResourceGroup, you must use /subscriptions/{SubscriptionID}/resourceGroups/RG-Storage/providers/Microsoft.Storage/storageAccounts/myStorageAccount for --storage-account parameter instead of myStorageAccount.
# Place the storage account resource ID into a variable.
sa=$(az storage account show --name 'myStorageAccount' --query 'id' --output 'tsv')

# Create a version 1 NSG flow log (the storage account is in a different resource group).
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account $sa

Create a flow log and traffic analytics workspace

  1. Create a Log Analytics workspace using az monitor log-analytics workspace create.

    # Create a Log Analytics workspace.
az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup'

  2. Create a flow log using az network watcher flow-log create. The flow log is created in the Network Watcher default resource group NetworkWatcherRG.

    # Create a version 1 NSG flow log and enable traffic analytics for it.
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'true' --workspace 'myWorkspace'

Note

  • The storage account can't have network rules that restrict network access to only Azure services or specific virtual networks.
  • If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.
  • If the storage account is in a different resource group or subscription, the full ID of the storage account must be used. For example, if myStorageAccount storage account is in a resource group named StorageRG while the network security group is in the resource group myResourceGroup, you must use /subscriptions/{SubscriptionID}/resourceGroups/RG-Storage/providers/Microsoft.Storage/storageAccounts/myStorageAccount for --storage-account parameter instead of myStorageAccount.
# Place the storage account resource ID into a variable.
sa=$(az storage account show --name 'myStorageAccount' --query 'id' --output 'tsv')

# Create a Log Analytics workspace.
az monitor log-analytics workspace create --name 'myWorkspace' --resource-group 'myResourceGroup'

# Create a version 1 NSG flow log and enable traffic analytics for it (the storage account is in a different resource group).
az network watcher flow-log create --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account $sa --traffic-analytics 'true' --workspace 'myWorkspace'

Change a flow log

You can use az network watcher flow-log update to change the properties of a flow log. For example, you can change the flow log version or disable traffic analytics.

# Update the flow log.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'false' --log-version '2'

List all flow logs in a region

Use az network watcher flow-log list to list all NSG flow log resources in a particular region in your subscription.

# Get all NSG flow logs in China East region.
az network watcher flow-log list --location 'chinaeast' --out table

View details of a flow log resource

Use az network watcher flow-log show to see details of a flow log resource.

# Get the details of a flow log.
az network watcher flow-log show --name 'myFlowLog' --resource-group 'NetworkWatcherRG' --location 'chinaeast'

Download a flow log

The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see Get started with Storage Explorer.

NSG flow log files saved to a storage account follow this path:

https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

For information about the structure of a flow log, see Log format of NSG flow logs.

Disable a flow log

To temporarily disable a flow log without deleting it, use az network watcher flow-log update command. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.

Note

If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log.

# Disable traffic analytics log if it's enabled.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --traffic-analytics 'false' --workspace 'myWorkspace'

# Disable the flow log.
az network watcher flow-log update --name 'myFlowLog' --nsg 'myNSG' --resource-group 'myResourceGroup' --storage-account 'myStorageAccount' --enabled 'false'

Delete a flow log

To permanently delete a flow log, use az network watcher flow-log delete command. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.

# Delete the flow log.
az network watcher flow-log delete --name 'myFlowLog' --location 'chinaeast' --no-wait 'true'

Note

Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follow the configured retention policy.

Next steps