使用 PowerShell 配置网络安全组流日志Configuring Network Security Group Flow logs with PowerShell

网络安全组流日志是网络观察程序的一项功能,用于查看通过网络安全组的入口和出口 IP 流量的信息。Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. 这些流日志以 json 格式编写,并根据规则显示出站和入站流、流所适用的 NIC、有关流的 5 元组信息(源/目标 IP、源/目标端口、协议),以及是允许还是拒绝流量。These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.

注册 Insights 提供程序Register Insights provider

要使流日志记录正常工作,必须注册 Microsoft.Insights 提供程序。In order for flow logging to work successfully, the Microsoft.Insights provider must be registered. 如果不确定 Microsoft.Insights 提供程序是否已注册,请运行以下脚本。If you are not sure if the Microsoft.Insights provider is registered, run the following script.

Register-AzResourceProvider -ProviderNamespace Microsoft.Insights

启用网络安全组流日志和流量分析Enable Network Security Group Flow logs and Traffic Analytics

以下示例显示了用于启用流日志的命令:The command to enable flow logs is shown in the following example:

$NW = Get-AzNetworkWatcher -ResourceGroupName NetworkWatcherRg -Name NetworkWatcher_chinaeast
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName nsgRG -Name nsgName
$storageAccount = Get-AzStorageAccount -ResourceGroupName StorageRG -Name contosostorage123
Get-AzNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $nsg.Id

#Traffic Analytics Parameters
$workspaceResourceId = "/subscriptions/bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb/resourcegroups/trafficanalyticsrg/providers/microsoft.operationalinsights/workspaces/taworkspace"
$workspaceGUID = "cccccccc-cccc-cccc-cccc-cccccccccccc"
$workspaceLocation = "chinanorth"

#Configure Version 1 Flow Logs
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -EnableFlowLog $true -FormatType Json -FormatVersion 1

#Configure Version 2 Flow Logs, and configure Traffic Analytics
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -EnableFlowLog $true -FormatType Json -FormatVersion 2

#Configure Version 2 FLow Logs with Traffic Analytics Configured
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -EnableFlowLog $true -FormatType Json -FormatVersion 2 -EnableTrafficAnalytics -WorkspaceResourceId $workspaceResourceId -WorkspaceGUID $workspaceGUID -WorkspaceLocation $workspaceLocation

#Query Flow Log Status
Get-AzNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $nsg.Id

指定的存储帐户不能配置有仅限 Azure 服务或特定虚拟网络进行网络访问的网络规则。The storage account you specify cannot have network rules configured for it that restrict network access to only Azure services or specific virtual networks. 存储帐户可以与启用流日志的 NSG 使用相同或不同的 Azure 订阅。The storage account can be in the same, or a different Azure subscription, than the NSG that you enable the flow log for. 如果使用不同的订阅,它们必须都与同一 Azure Active Directory 租户相关联。If you use different subscriptions, they must both be associated to the same Azure Active Directory tenant. 用于每个订阅的帐户必须有必要的权限The account you use for each subscription must have the necessary permissions.

禁用流量分析和网络安全组流日志Disable Traffic Analytics and Network Security Group Flow logs

使用以下示例禁用流量分析和流日志:Use the following example to disable traffic analytics and flow logs:

#Disable Traffic Analaytics by removing -EnableTrafficAnalytics property
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -EnableFlowLog $true -FormatType Json -FormatVersion 2 -WorkspaceResourceId $workspaceResourceId -WorkspaceGUID $workspaceGUID -WorkspaceLocation $workspaceLocation

#Disable Flow Logging
Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id -StorageAccountId $storageAccount.Id -EnableFlowLog $false

下载流日志Download a Flow log

流日志的存储位置是在创建时定义的。The storage location of a flow log is defined at creation. 用于访问这些保存到存储帐户的流日志的便利工具是 Microsoft Azure 存储资源管理器,下载地址为:https://storageexplorer.com/A convenient tool to access these flow logs saved to a storage account is Microsoft Azure Storage Explorer, which can be downloaded here: https://storageexplorer.com/

如果指定了存储帐户,则会将流日志文件保存到以下位置的存储帐户:If a storage account is specified, flow log files are saved to a storage account at the following location:

https://{storageAccountName}.blob.core.chinacloudapi.cn/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

有关日志结构的信息,请访问网络安全组流日志概述For information about the structure of the log visit Network Security Group Flow log Overview

后续步骤Next Steps

了解如何使用 PowerBI 直观地显示 NSG 流日志Learn how to Visualize your NSG flow logs with PowerBI

了解如何使用开源工具直观地显示 NSG 流日志Learn how to Visualize your NSG flow logs with open source tools