针对网络安全组进行流日志记录简介Introduction to flow logging for network security groups

简介Introduction

网络安全组 (NSG) 流日志是 Azure 网络观察程序的一项功能,可用于记录流过 NSG 的 IP 流量的信息。Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. 流数据将发送到 Azure 存储帐户,在其中可以访问这些数据,并将其导出到所选的任何可视化工具、SIEM 或 IDS。Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice.

流日志概述

为何使用流日志?Why use Flow Logs?

在监视、管理自己的网络,以及识别网络中是否存在安全性、合规性和性能问题时,流量分析非常关键。It is vital to monitor, manage, and know your own network for uncompromised security, compliance, and performance. 在保护和优化自己的环境之前,了解该环境至关重要。Knowing your own environment is of paramount importance to protect and optimize it. 通常需要知道网络的当前状态、谁正在连接、他们从哪里进行连接、向 Internet 开放了哪些端口、预期网络行为、异常网络行为,以及流量的突发性增长。You often need to know the current state of the network, who is connecting, where they're connecting from, which ports are open to the internet, expected network behavior, irregular network behavior, and sudden rises in traffic.

流日志是云环境中所有网络活动的事实来源。Flow logs are the source of truth for all network activity in your cloud environment. 无论你是一家想要优化资源的创业公司,还是想要检测入侵的大型企业,流日志都是最值得依赖的功能。Whether you're an upcoming startup trying to optimize resources or large enterprise trying to detect intrusion, Flow logs are your best bet. 可以使用此功能来优化网络流、监视吞吐量、验证合规性、检测入侵,等等。You can use it for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more.

常见用例Common use cases

网络监视:识别未知或意外的流量。Network Monitoring: Identify unknown or undesired traffic. 监视流量水平和带宽消耗。Monitor traffic levels and bandwidth consumption. 按 IP 和端口筛选流日志,以了解应用程序的行为。Filter flow logs by IP and port to understand application behavior. 将流日志导出到所选的分析和可视化工具,以设置监视仪表板。Export Flow Logs to analytics and visualization tools of your choice to set up monitoring dashboards.

使用情况监视和优化:识别网络中最活跃的通信方。Usage monitoring and optimization: Identify top talkers in your network. 结合 GeoIP 数据来识别跨区域流量。Combine with GeoIP data to identify cross-region traffic. 了解流量增长情况以进行容量预测。Understand traffic growth for capacity forecasting. 基于数据删除过度严格的流量规则。Use data to remove overtly restrictive traffic rules.

合规性:使用流数据验证网络是否隔离以及是否符合企业访问规则Compliance: Use flow data to verify network isolation and compliance with enterprise access rules

网络取证和安全分析:分析来自已遭入侵的 IP 和网络接口的网络流。Network forensics & Security analysis: Analyze network flows from compromised IPs and network interfaces. 将流日志导出到所选的任何 SIEM 或 IDS 工具。Export flow logs to any SIEM or IDS tool of your choice.

日志记录的工作原理How logging works

关键属性Key Properties

  • 流日志在第 4 层运行,记录传入和传出 NSG 的所有 IP 流Flow logs operate at Layer 4 and record all IP flows going in and out of an NSG
  • 日志是通过 Azure 平台收集的,不会对客户资源或网络性能造成任何形式的影响。Logs are collected through the Azure platform and do not affect customer resources or network performance in any way.
  • 日志以 JSON 格式编写,基于每个 NSG 规则显示出站和入站流。Logs are written in the JSON format and show outbound and inbound flows on a per NSG rule basis.
  • 每条日志记录包含流所应用到网络接口 (NIC)、5 元组信息、流量决策和(仅限版本 2)吞吐量信息。Each log record contains the network interface (NIC) the flow applies to, 5-tuple information, the traffic decision & (Version 2 only) throughput information. 有关完整详细信息,请参阅下面的 日志格式See Log Format below for full details.
  • 流日志具有保留功能,可以自动删除在创建后已保留一年的日志。Flow Logs have a retention feature that allows automatically deleting the logs up to a year after their creation.

备注

仅当使用常规用途 v2 存储帐户 (GPv2) 时,才可以使用保留。Retention is available only if you use General purpose v2 Storage accounts (GPv2).

核心概念Core concepts

  • 软件定义的网络是围绕虚拟网络 (VNET) 和子网进行组织的。Software defined networks are organized around Virtual Networks (VNETs) and subnets. 可以使用 NSG 来管理这些 VNet 和子网的安全性。The security of these VNets and subnets can be managed using an NSG.
  • 网络安全组 (NSG) 包含安全规则列表,这些规则可允许或拒绝 VNet 和子网所连接到的资源中的网络流量。A Network security group (NSG) contains a list of security rules that allow or deny network traffic in resources it is connected to. 可以将 NSG 与子网、单个 VM 或附加到 VM 的单个网络接口 (NIC)(资源管理器模型)进行关联。NSGs can be associated with subnets, individual VMs, or individual network interfaces (NIC) attached to VMs (Resource Manager). 有关详细信息,请参阅网络安全组概述For more information, see Network security group overview.
  • 网络中的所有流量流都是使用适用 NSG 中的规则评估的。All traffic flows in your network are evaluated using the rules in the applicable NSG.
  • 这些评估的结果就是 NSG 流日志。The result of these evaluations is NSG Flow Logs. 流日志通过 Azure 平台收集,无需对客户资源进行任何更改。Flow logs are collected through the Azure platform and don't require any change to the customer resources.
  • 注意:规则分为两种类型(终止和非终止),每种类型都有不同的日志记录行为。Note: Rules are of two types - terminating & non-terminating, each with different logging behaviors.
    • NSG 拒绝规则是终止类型。NSG Deny rules are terminating. 拒绝流量的 NSG 会将其记录在流日志中,在这种情况下,处理将在任何 NSG 拒绝流量后停止。The NSG denying the traffic will log it in Flow logs and processing in this case would stop after any NSG denies traffic.
    • NSG 允许规则是非终止类型,这意味着即使一个 NSG 允许,处理也会继续下一 NSG。NSG Allow rules are non-terminating, which means even if one NSG allows it, processing will continue to the next NSG. 允许流量的最后一个 NSG 会将流量记录到流日志。The last NSG allowing traffic will log the traffic to Flow logs.
  • NSG 流日志将写入到存储帐户,从存储帐户中可以访问这些日志。NSG Flow Logs are written to storage accounts from where they can be accessed.
  • 可以使用 TA、Splunk、Grafana、Stealthwatch 等工具导出、处理、分析和可视化流日志。You can export, process, analyze, and visualize Flow Logs using tools like TA, Splunk, Grafana, Stealthwatch, etc.

日志格式Log format

流日志包含以下属性:Flow logs include the following properties:

  • time - 记录事件的时间time - Time when the event was logged
  • systemId - 网络安全组系统 ID。systemId - Network Security Group system ID.
  • 类别 - 事件的类别。category - The category of the event. 类别始终是 NetworkSecurityGroupFlowEventThe category is always NetworkSecurityGroupFlowEvent
  • resourceid - NSG 的资源 ID。resourceid - The resource ID of the NSG
  • operationName - 始终为 NetworkSecurityGroupFlowEventsoperationName - Always NetworkSecurityGroupFlowEvents
  • properties - 流属性的集合properties - A collection of properties of the flow
    • Version - 流日志事件架构的版本号Version - Version number of the Flow Log event schema
    • flows - 流的集合。flows - A collection of flows. 此属性有多个针对不同规则的条目This property has multiple entries for different rules
      • rule - 列出流时所依据的规则rule - Rule for which the flows are listed
        • flows - 流的集合flows - a collection of flows
          • mac - VM 的 NIC 的 MAC 地址,用于收集流mac - The MAC address of the NIC for the VM where the flow was collected
          • flowTuples - 一个字符串,包含逗号分隔格式的流元组的多个属性flowTuples - A string that contains multiple properties for the flow tuple in comma-separated format
            • Time Stamp - 此值为时间戳,表示流的发生时间,采用 UNIX epoch 格式Time Stamp - This value is the time stamp of when the flow occurred in UNIX epoch format
            • Source IP - 源 IPSource IP - The source IP
            • Destination IP - 目标 IPDestination IP - The destination IP
            • Source Port - 源端口Source Port - The source port
            • Destination Port - 目标端口Destination Port - The destination Port
            • Protocol - 流的协议。Protocol - The protocol of the flow. 有效值为 T(表示 TCP)和 U(表示 UDP)Valid values are T for TCP and U for UDP
            • Traffic Flow - 流的方向。Traffic Flow - The direction of the traffic flow. 有效值为 I(表示入站)和 O(表示出站)。Valid values are I for inbound and O for outbound.
            • Traffic Decision - 是允许了还是拒绝了流。Traffic Decision - Whether traffic was allowed or denied. 有效值为 A(表示已允许)和 D(表示已拒绝)。Valid values are A for allowed and D for denied.
            • Flow State - 仅限版本 2 - 捕获流的状态。Flow State - Version 2 Only - Captures the state of the flow. 可能的状态包括 B:创建流时开始。Possible states are B: Begin, when a flow is created. 未提供统计信息。Statistics aren't provided. C:继续执行正在进行的流。C: Continuing for an ongoing flow. 以 5 分钟的时间间隔提供统计信息。Statistics are provided at 5-minute intervals. E:在流终止时结束。E: End, when a flow is terminated. 已提供统计信息。Statistics are provided.
            • Packets - 源到目标 - 仅限版本 2 自上次更新以来,从源发送到目标的 TCP 或 UDP 数据包的总数。Packets - Source to destination - Version 2 Only The total number of TCP or UDP packets sent from source to destination since last update.
            • Bytes sent - 源到目标 - 仅限版本 2 自上次更新以来,从源发送到目标的 TCP 或 UDP 数据包字节的总数。Bytes sent - Source to destination - Version 2 Only The total number of TCP or UDP packet bytes sent from source to destination since last update. 数据包字节包括数据包标头和有效负载。Packet bytes include the packet header and payload.
            • Packets - 目标到源 - 仅限版本 2 自上次更新以来,从目标发送到源的 TCP 或 UDP 数据包的总数。Packets - Destination to source - Version 2 Only The total number of TCP or UDP packets sent from destination to source since last update.
            • Bytes sent - 目标到源 - 仅限版本 2 自上次更新以来,从目标发送到源的 TCP 和 UDP 数据包字节的总数。Bytes sent - Destination to source - Version 2 Only The total number of TCP and UDP packet bytes sent from destination to source since last update. 数据包字节包括数据包标头和有效负载。Packet bytes include packet header and payload.

NSG 流日志版本 2(与版本 1 的比较)NSG flow logs Version 2 (vs Version 1)

日志版本 2 引入了流状态的概念。Version 2 of the logs introduces the concept of flow state. 可以配置要接收的流日志的版本。You can configure which version of flow logs you receive.

启动流时记录流状态 B。Flow state B is recorded when a flow is initiated. 流状态 C 和流状态 E 是分别标记流的延续和终止的状态 。Flow state C and flow state E are states that mark the continuation of a flow and flow termination, respectively. 状态 C 和 E 都包含流量带宽信息 。Both C and E states contain traffic bandwidth information.

示例日志记录Sample log records

以下文本是流日志的示例。The text that follows is an example of a flow log. 可以看到,有多个记录遵循前一部分描述的属性列表。As you can see, there are multiple records that follow the property list described in the preceding section.

备注

flowTuples 属性中的值为逗号分隔列表。Values in the flowTuples property are a comma-separated list.

版本 1 NSG 流日志格式示例Version 1 NSG flow log format sample

{
    "records": [
        {
            "time": "2017-02-16T22:00:32.8950000Z",
            "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
            "category": "NetworkSecurityGroupFlowEvent",
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
            "operationName": "NetworkSecurityGroupFlowEvents",
            "properties": {
                "Version": 1,
                "flows": [
                    {
                        "rule": "DefaultRule_DenyAllInBound",
                        "flows": [
                            {
                                "mac": "000D3AF8801A",
                                "flowTuples": [
                                    "1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"
                                ]
                            }
                        ]
                    },
                    {
                        "rule": "UserRule_default-allow-rdp",
                        "flows": [
                            {
                                "mac": "000D3AF8801A",
                                "flowTuples": [
                                    "1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A",
                                    "1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A",
                                    "1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A",
                                    "1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"
                                ]
                            }
                        ]
                    }
                ]
            }
        },
        {
            "time": "2017-02-16T22:01:32.8960000Z",
            "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
            "category": "NetworkSecurityGroupFlowEvent",
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
            "operationName": "NetworkSecurityGroupFlowEvents",
            "properties": {
                "Version": 1,
                "flows": [
                    {
                        "rule": "DefaultRule_DenyAllInBound",
                        "flows": [
                            {
                                "mac": "000D3AF8801A",
                                "flowTuples": [
                                    "1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"
                                ]
                            }
                        ]
                    },
                    {
                        "rule": "UserRule_default-allow-rdp",
                        "flows": [
                            {
                                "mac": "000D3AF8801A",
                                "flowTuples": [
                                    "1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A",
                                    "1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A",
                                    "1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"
                                ]
                            }
                        ]
                    }
                ]
            }
        },
    "records":
    [

        {
             "time": "2017-02-16T22:00:32.8950000Z",
             "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
             "category": "NetworkSecurityGroupFlowEvent",
             "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
             "operationName": "NetworkSecurityGroupFlowEvents",
             "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]}
        }
        ,
        {
             "time": "2017-02-16T22:01:32.8960000Z",
             "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
             "category": "NetworkSecurityGroupFlowEvent",
             "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
             "operationName": "NetworkSecurityGroupFlowEvents",
             "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]}
        }
        ,
        {
             "time": "2017-02-16T22:02:32.9040000Z",
             "systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
             "category": "NetworkSecurityGroupFlowEvent",
             "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
             "operationName": "NetworkSecurityGroupFlowEvents",
             "properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]}
        }

版本 2 NSG 流日志格式示例Version 2 NSG flow log format sample

 {
    "records": [
        {
            "time": "2018-11-13T12:00:35.3899262Z",
            "systemId": "a0fca5ce-022c-47b1-9735-89943b42f2fa",
            "category": "NetworkSecurityGroupFlowEvent",
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
            "operationName": "NetworkSecurityGroupFlowEvents",
            "properties": {
                "Version": 2,
                "flows": [
                    {
                        "rule": "DefaultRule_DenyAllInBound",
                        "flows": [
                            {
                                "mac": "000D3AF87856",
                                "flowTuples": [
                                    "1542110402,94.102.49.190,10.5.16.4,28746,443,U,I,D,B,,,,",
                                    "1542110424,176.119.4.10,10.5.16.4,56509,59336,T,I,D,B,,,,",
                                    "1542110432,167.99.86.8,10.5.16.4,48495,8088,T,I,D,B,,,,"
                                ]
                            }
                        ]
                    },
                    {
                        "rule": "DefaultRule_AllowInternetOutBound",
                        "flows": [
                            {
                                "mac": "000D3AF87856",
                                "flowTuples": [
                                    "1542110377,10.5.16.4,13.67.143.118,59831,443,T,O,A,B,,,,",
                                    "1542110379,10.5.16.4,13.67.143.117,59932,443,T,O,A,E,1,66,1,66",
                                    "1542110379,10.5.16.4,13.67.143.115,44931,443,T,O,A,C,30,16978,24,14008",
                                    "1542110406,10.5.16.4,40.71.12.225,59929,443,T,O,A,E,15,8489,12,7054"
                                ]
                            }
                        ]
                    }
                ]
            }
        },
        {
            "time": "2018-11-13T12:01:35.3918317Z",
            "systemId": "a0fca5ce-022c-47b1-9735-89943b42f2fa",
            "category": "NetworkSecurityGroupFlowEvent",
            "resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
            "operationName": "NetworkSecurityGroupFlowEvents",
            "properties": {
                "Version": 2,
                "flows": [
                    {
                        "rule": "DefaultRule_DenyAllInBound",
                        "flows": [
                            {
                                "mac": "000D3AF87856",
                                "flowTuples": [
                                    "1542110437,125.64.94.197,10.5.16.4,59752,18264,T,I,D,B,,,,",
                                    "1542110475,80.211.72.221,10.5.16.4,37433,8088,T,I,D,B,,,,",
                                    "1542110487,46.101.199.124,10.5.16.4,60577,8088,T,I,D,B,,,,",
                                    "1542110490,176.119.4.30,10.5.16.4,57067,52801,T,I,D,B,,,,"
                                ]
                            }
                        ]
                    }
                ]
            }
        }

日志元组说明Log tuple explained

流日志元组

采样带宽计算Sample bandwidth calculation

介于 185.170.185.105:35370 和 10.2.0.4:23 之间的 TCP 对话中的流元组:Flow tuples from a TCP conversation between 185.170.185.105:35370 and 10.2.0.4:23:

"1493763938,185.170.185.105,10.2.0.4,35370,23,T,I,A,B,,,," "1493695838,185.170.185.105,10.2.0.4,35370,23,T,I,A,C,1021,588096,8005,4610880" "1493696138,185.170.185.105,10.2.0.4,35370,23,T,I,A,E,52,29952,47,27072""1493763938,185.170.185.105,10.2.0.4,35370,23,T,I,A,B,,,," "1493695838,185.170.185.105,10.2.0.4,35370,23,T,I,A,C,1021,588096,8005,4610880" "1493696138,185.170.185.105,10.2.0.4,35370,23,T,I,A,E,52,29952,47,27072"

对于延续 C 和结束 E 流状态,字节和数据包计数是从上一次流元祖记录时集合的计数 。For continuation C and end E flow states, byte and packet counts are aggregate counts from the time of the previous flow tuple record. 引用上一示例会话,传输的数据包的总数是 1021+52+8005+47 = 9125。Referencing the previous example conversation, the total number of packets transferred is 1021+52+8005+47 = 9125. 传输的字节总数是 588096+29952+4610880+27072 = 5256000。The total number of bytes transferred is 588096+29952+4610880+27072 = 5256000.

启用 NSG 流日志Enabling NSG Flow Logs

使用下面的相关链接获取有关启用流日志的指导。Use the relevant link from below for guides on enabling flow logs.

更新参数Updating parameters

Azure 门户Azure portal

在 Azure 门户上,导航到“网络观察程序”中的“NSG 流日志”部分。On the Azure portal, navigate to the NSG Flow Logs section in Network Watcher. 然后单击 NSG 的名称。Then click the name of the NSG. 此时会打开流日志的“设置”窗格。This will bring up the settings pane for the Flow log. 更改所需的参数,然后点击“保存”以部署更改。Change the parameters you want and hit Save to deploy the changes.

PS/CLI/REST/ARMPS/CLI/REST/ARM

若要通过命令行工具更新参数,请使用上面所述的用于启用流日志的同一命令,但要指定你想要更改的参数。To update parameters via command-line tools, use the same command used to enable Flow Logs (from above) but with updated parameters that you want to change.

使用流日志Working with Flow logs

读取和导出流日志Read and Export flow logs

流日志针对的是 NSG,但其显示方式不同于其他日志。While flow logs target NSGs, they are not displayed the same as the other logs. 流日志仅存储在一个存储帐户中,其采用的日志记录路径如以下示例所示:Flow logs are stored only within a storage account and follow the logging path shown in the following example:

https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

可视化流日志Visualize flow Logs

NSG 流日志记录注意事项NSG flow logging considerations

存储帐户注意事项Storage account considerations:

  • 位置:所用的存储帐户必须与 NSG 位于同一区域中。Location: The storage account used must be in the same region as the NSG.
  • 自行管理密钥轮换:如果你更改/轮换存储帐户的访问密钥,则 NSG 流日志将停止工作。Self-manage key rotation: If you change/rotate the access keys to your storage account, NSG Flow Logs will stop working. 若要解决此问题,必须禁用并重新启用 NSG 流日志。To fix this issue, you must disable and then re-enable NSG Flow Logs.

流日志记录成本:NSG 流日志记录按生成的日志量计费。Flow Logging Costs: NSG flow logging is billed on the volume of logs produced. 流量较高时,流日志的量和相关成本可能会增大。High traffic volume can result in large flow log volume and the associated costs. NSG 流日志定价不包括基本的存储成本。NSG Flow log pricing does not include the underlying costs of storage. 将保留策略功能与 NSG 流日志记录配合使用意味着在较长时间内会产生单独的存储成本。Using the retention policy feature with NSG Flow Logging means incurring separate storage costs for extended periods of time. 如果不需要使用保留策略功能,我们建议将此值设置为 0。If you do not require the retention policy feature, we recommend that you set this value to 0. 有关详细信息,请参阅网络观察程序定价Azure 存储定价For more information, see Network Watcher Pricing and Azure Storage Pricing for additional details.

用户定义的入站 TCP 规则问题网络安全组 (NSG) 是作为有状态防火墙实现的。Issues with User-defined Inbound TCP rules: Network Security Groups (NSGs) are implemented as a Stateful firewall. 但是,由于当前平台限制,影响入站 TCP 流的用户定义的规则将以无状态方式实现。However, due to current platform limitations, user-defined rules that affect inbound TCP flows are implemented in a stateless fashion. 因此,被用户定义的入站规则影响的流将变为非终止类型。Due to this, flows affected by user-defined inbound rules become non-terminating. 不会为这些流记录额外的字节和数据包计数。Additionally byte and packet counts are not recorded for these flows. 因此,NSG 流日志(和流量分析)中报告的字节数和数据包数可能与实际数字不同。Consequently the number of bytes and packets reported in NSG Flow Logs (and Traffic Analytics) could be different from actual numbers. 我们计划将在 2020 年 12 月的最新版本中提供一个用于解决这些问题的选择加入标志。An opt-in flag that fixes these issues is scheduled to be available by December 2020 latest. 在此期间,客户如果由于此行为受到严重影响,可以通过支持请求选择加入,请通过“网络观察程序”下的“NSG 流日志”提出支持请求。In the interim, customers facing severe issues due to this behaviour can request opting-in via Support, please raise a support request under Network Watcher > NSG Flow Logs.

入站流被从 Internet IP 记录到了没有公共 IP 的虚拟机:对于没有通过与 NIC 关联的公共 IP 地址分配公共 IP 地址作为实例级公共 IP 的虚拟机,或者是属于基本负载均衡器后端池的一部分的虚拟机,请使用 默认SNAT,并使用由 Azure 分配的 IP 地址以便于进行出站连接。Inbound flows logged from internet IPs to VMs without public IPs: VMs that don't have a public IP address assigned via a public IP address associated with the NIC as an instance-level public IP, or that are part of a basic load balancer back-end pool, use default SNAT and have an IP address assigned by Azure to facilitate outbound connectivity. 因此,如果流的目的地是分配给 SNAT 的端口范围内的端口,你可能会看到来自 Internet IP 地址的流的流日志条目。As a result, you might see flow log entries for flows from internet IP addresses, if the flow is destined to a port in the range of ports assigned for SNAT. 虽然 Azure 不允许将这些流传输到 VM,但是按照设计,该尝试会被记录并显示在网络观察程序的 NSG 流日志中。While Azure won't allow these flows to the VM, the attempt is logged and appears in Network Watcher's NSG flow log by design. 我们建议使用 NSG 来显式阻止不需要的入站 Internet 流量。We recommend that unwanted inbound internet traffic be explicitly blocked with NSG.

不兼容的服务:由于当前的平台限制,NSG 流日志不支持一小部分 Azure 服务。Incompatible Services: Due to current platform limitations, a small set of Azure services are not supported by NSG Flow Logs. 当前不兼容的服务的列表为The current list of incompatible services is

最佳实践Best practices

在关键的 VNET/子网上启用:作为审核和安全方面的最佳做法,应在订阅中的所有关键 VNET/子网上启用流日志。Enable on critical VNETs/Subnets: Flow Logs should be enabled on all critical VNETs/subnets in your subscription as an auditability and security best practice.

在附加到资源的所有 NSG 上启用 NSG 流日志记录:Azure 中的流日志记录是在 NSG 资源上配置的。Enable NSG Flow Logging on all NSGs attached to a resource: Flow logging in Azure is configured on the NSG resource. 一个流只与一个 NSG 规则相关联。A flow will only be associated to one NSG Rule. 如果利用了多个 NSG,我们建议在应用了 NSG 的所有资源子网或网络接口中启用 NSG 流日志,以确保记录所有流量。In scenarios where multiple NSGs are utilized, we recommend enabling NSG flow logs on all NSGs applied a resource's subnet or network interface to ensure that all traffic is recorded. 有关详细信息,请参阅网络安全组中的流量评估方式For more information, see how traffic is evaluated in Network Security Groups.

存储预配:应该根据预期的流日志量预配存储。Storage provisioning: Storage should be provisioned in tune with expected Flow Log volume.

排查常见问题Troubleshooting common issues

无法启用 NSG 流日志I could not enable NSG Flow Logs

  • Microsoft.Insights 资源提供程序未注册Microsoft.Insights resource provider is not registered

如果收到 AuthorizationFailed 或 GatewayAuthenticationFailed 错误,则表明你可能尚未在订阅上启用 Azure Insights 资源提供程序 。If you received an AuthorizationFailed or a GatewayAuthenticationFailed error, you might have not enabled the Azure Insights resource provider on your subscription. 按照说明启用 Azure Insights 提供程序。Follow the instructions to enable the Azure Insights provider.

我已经启用 NSG 流日志,但在存储帐户中看不到数据I have enabled NSG Flow Logs but do not see data in my storage account

  • 设置时间Setup time

NSG 流日志可能需要长达 5 分钟的时间才能显示在存储帐户中(如果配置正确)。NSG Flow Logs may take up to 5 minutes to appear in your storage account (if configured correctly). 可以根据此处的说明访问将要显示的 PT1H.json。A PT1H.json will appear which can be accessed as described here.

  • NSG 上没有流量No Traffic on your NSGs

有时,由于 VM 处于不可用状态,或者应用程序网关或其他设备上的上游筛选器阻止了 NSG 的流量,因此,你将看不到日志。Sometimes you will not see logs because your VMs are not active or there are upstream filters at an App Gateway or other devices that are blocking traffic to your NSGs.

我想自动执行 NSG 流日志I want to automate NSG Flow Logs

NSG 流日志当前不支持通过 ARM 模板进行自动化操作。Support for automation via ARM templates is currently not available for NSG Flow Logs. 有关详细信息,请阅读功能公告Read the feature announcement for more information.

常见问题FAQ

NSG 流日志有什么作用?What does NSG Flow Logs do?

可以通过网络安全组 (NSG) 来合并和管理 Azure 网络资源。Azure network resources can be combined and managed through Network Security Groups (NSGs). 使用 NSG 流日志可以通过 NSG 记录有关所有流量的 5 元组流信息。NSG Flow Logs enable you to log 5-tuple flow information about all traffic through your NSGs. 原始流日志将写入 Azure 存储帐户,在存储帐户中,可以根据需要进一步处理、分析、查询或导出这些日志。The raw flow logs are written to an Azure Storage account from where they can be further processed, analyzed, queried, or exported as needed.

使用流日志是否影响网络延迟或性能?Does using Flow Logs impact my network latency or performance?

流日志数据是在网络流量路径的外部收集的,因此不会影响网络吞吐量或延迟。Flow logs data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. 可以创建或删除流日志,而不会对网络性能产生任何影响。You can create or delete flow logs without any risk of impact to network performance.

当存储帐户位于防火墙后面时,如何使用 NSG 流日志?How do I use NSG Flow Logs with a Storage account behind a firewall?

若要使用防火墙后面的存储帐户,必须提供一个例外,以便受信任的 Azure 服务访问你的存储帐户:To use a Storage account behind a firewall, you have to provide an exception for Trusted Azure Services to access your storage account:

  • 在门户或“存储帐户”页的全局搜索框中键入存储帐户的名称,导航到存储帐户Navigate to the storage account by typing the storage account's name in the global search on the portal or from the Storage Accounts page
  • 在“设置”部分下,选择“防火墙和虚拟网络” Under the SETTINGS section, select Firewalls and virtual networks
  • 在“允许的访问来源”中,选择“所选网络”。 In Allow access from, select Selected networks. 然后,在“例外”下,勾选“允许受信任的 Azure 服务访问此存储帐户”旁边的框Then under Exceptions, tick the box next to ****Allow trusted Azure services to access this storage account****
  • 如果已选中,则不需进行更改。If it is already selected, no change is needed.
  • NSG 流日志概述页上找到目标 NSG,并启用选择了上述存储帐户的 NSG 流日志。Locate your target NSG on the NSG Flow Logs overview page and enable NSG Flow Logs with the above storage account selected.

可以在数分钟后检查存储日志,应该会看到时间戳已更新,或者会看到新的 JSON 文件已创建。You can check the storage logs after a few minutes, you should see an updated TimeStamp or a new JSON file created.

当存储帐户位于服务终结点后面时,如何使用 NSG 流日志?How do I use NSG Flow Logs with a Storage account behind a Service Endpoint?

NSG 流日志与服务终结点兼容,无需任何额外的配置。NSG Flow Logs are compatible with Service Endpoints without requiring any extra configuration. 请参阅有关在虚拟网络中启用服务终结点的教程See the tutorial on enabling Service Endpoints in your virtual network.

流日志版本 1 和 2 有何区别?What is the difference between flow logs versions 1 & 2?

流日志版本 2 引入了“流状态”的概念,并会存储有关传输的字节和数据包的信息。Flow Logs version 2 introduces the concept of Flow State & stores information about bytes and packets transmitted. 了解详细信息Read more

定价Pricing

NSG 流日志按收集的日志量(以 GB 为单位)收费,并为每个订阅附送 5 GB/月的免费层。NSG Flow Logs are charged per GB of logs collected and come with a free tier of 5 GB/month per subscription. 有关你所在区域的当前定价,请参阅网络观察程序定价页For the current pricing in your region, see the Network Watcher pricing page.

日志存储费单独计收,相关价格请参阅 Azure 存储块 Blob 定价页Storage of logs is charged separately, see Azure Storage Block blob pricing page for relevant prices.