Delete network security group flow log storage blobs in Network Watcher
In case you ever need to manually delete flow logs from your storage account, you can use the PowerShell script below. This script only deletes storage blobs that are older than the existing retention policy specified by the user.
Run PowerShell script to delete NSG flow logs
Copy and save the following script to a location such as your current working directory.
# This powershell script deletes all NSG flow log blobs that should not be retained anymore as per configured retention policy.
# While configuring NSG flow logs on Azure portal, the user configures the retention period of NSG flow log blobs in
# their storage account (in days).
# This script reads all blobs and deletes blobs that are not to be retained (outside retention window)
# if the retention days are zero; all blobs are retained forever and hence no blobs are deleted.
#
#
param (
[string] [Parameter(Mandatory=$true)] $SubscriptionId,
[string] [Parameter(Mandatory=$true)] $Location,
[switch] [Parameter(Mandatory=$false)] $Confirm
)
Login-AzAccount
$SubId = Get-AzSubscription| Where-Object {$_.Id.contains($SubscriptionId.ToLower())}
if ($SubId.Count -eq 0)
{
Write-Error 'The SubscriptionId does not exist' -ErrorAction Stop
}
Set-AzContext -SubscriptionId $SubscriptionId
$NsgList = Get-AzNetworkSecurityGroup | Where-Object {$_.Location -eq $Location}
$NW = Get-AzNetworkWatcher | Where-Object {$_.Location -eq $Location}
$FlowLogsList = @()
foreach ($Nsg in $NsgList)
{
# Query Flow Log Status which are enabled
$NsgFlowLog = Get-AzNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $Nsg.Id | Where-Object {$_.Enabled -eq "True"}
if ($NsgFlowLog.Count -gt 0)
{
$FlowLogsList += $NsgFlowLog
Write-Output ('Enabled NSG found: ' + $NsgFlowLog.TargetResourceId)
}
}
foreach ($Psflowlog in $FlowLogsList)
{
$RetentionDays = $Psflowlog.RetentionPolicy.Days
if ($RetentionDays -le 0)
{
continue
}
$Strings = $Psflowlog.StorageId -split '/'
$RGName = $Strings[4]
$StorageAccountName = $Strings[-1]
$Key = (Get-AzStorageAccountKey -ResourceGroupName $RGName -Name $StorageAccountName).Value[1]
$StorageAccount = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $Key
$ContainerName = 'insights-logs-networksecuritygroupflowevent'
$BLobsList = Get-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context
$TargetBLobsList = $BLobsList | Where-Object {$_.Name.contains($Psflowlog.TargetResourceId.ToUpper())}
$RetentionDate = Get-Date
$RetentionDate = $RetentionDate.AddDays(-1*$RetentionDays)
$RetentionDateInUTC = $RetentionDate.ToUniversalTime()
foreach ($Blob in $TargetBLobsList)
{
$BlobLastModifietedDTinUTC = [datetime]$Blob.LastModified.UtcDateTime
if ($BlobLastModifietedDTinUTC -ge $RetentionDateInUTC)
{
Write-Output ($Blob.Name + '===>' + $BlobLastModifietedDTinUTC + ' ===> RETAINED')
continue
}
if ($Confirm)
{
Write-Output (Blob to be deleted: $Blob.Name)
$Confirmation = Read-Host "Are you sure you want to remove this blob (Y/N)?"
}
if ((-not $Confirm) -or ($Confirmation -eq 'Y'))
{
Write-Output ($Blob.Name + '===>' + $BlobLastModifietedDTinUTC + ' ===> DELETED')
Remove-AzStorageBlob -Container $ContainerName -Context $StorageAccount.Context -Blob $Blob.Name
}
else
{
Write-Output ($Blob.Name + '===>' + $BlobLastModifietedDTinUTC + ' ===> RETAINED')
}
}
}
Write-Output ('Retention policy for all NSGs evaluated and completed successfully')
Enter the following parameters in the script as needed:
- SubscriptionId [Mandatory]: The subscription ID from where you would like to delete NSG Flow Log blobs.
- Location [Mandatory]: The location string of the region of the NSGs for which you would like to delete NSG Flow Log blobs. You can view this information on the Azure portal or on GitHub.
- Confirm [Optional]: Pass the confirm flag if you want to manually confirm the deletion of each storage blob.
Run the saved script as shown in the following example, where the script file was saved as Delete-NsgFlowLogsBlobs.ps1:
.\Delete-NsgFlowLogsBlobs.ps1 -SubscriptionId <subscriptionId> -Location <location> -Confirm
Next steps
- Customers can automate running the script by using Azure Logic Apps or Azure Automation
- To learn more about NSG logging, see Azure Monitor logs for network security groups (NSGs).
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for