Edit

Manage NSG flow logs using the Azure portal

  • Article

Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group. For more information about network security group flow logging, see NSG flow logs overview.

In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure portal. You can learn how to manage an NSG flow log using PowerShell, Azure CLI, REST API, or ARM template.

Prerequisites

Register Insights provider

Microsoft.Insights provider must be registered to successfully log traffic flowing through a network security group. If you aren't sure if the Microsoft.Insights provider is registered, check its status:

  1. In the search box at the top of the portal, enter subscriptions. Select Subscriptions in the search results.

  2. Select the Azure subscription that you want to enable the provider for in Subscriptions.

  3. Under Settings, select Resource providers.

  4. Enter insight in the filter box.

  5. Confirm the status of the provider displayed is Registered. If the status is NotRegistered, select the Microsoft.Insights provider then select Register.

    Screenshot of registering Microsoft Insights provider in the Azure portal.

Create a flow log

Create a flow log for your network security group. This NSG flow log is saved in an Azure storage account.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select + Create or Create flow log blue button.

    Screenshot of Flow logs page in the Azure portal.

  4. Enter or select the following values in Create a flow log:

    Setting Value
    Project details
    Subscription Select the Azure subscription of your network security group that you want to log.
    Network security group Select + Select resource.
    In Select network security group, select myNSG. Then, select Confirm selection.
    Flow Log Name Enter a name for the flow log or leave the default name. myNSG-myResourceGroup-flowlog is the default name for this example.
    Instance details
    Subscription Select the Azure subscription of your storage account.
    Storage Accounts Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
    Retention (days) Enter a retention time for the logs. Enter 0 if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see Azure Storage pricing.

    Screenshot of creating an NSG flow log in the Azure portal.

    Note

    If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.

  5. Select Review + create.

  6. Review the settings, and then select Create.

Create a flow log and traffic analytics workspace

Create a flow log for your network security group and enable traffic analytics. The NSG flow log is saved in an Azure storage account.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select + Create or Create flow log blue button.

    Screenshot of Flow logs page in the Azure portal.

  4. Enter or select the following values in Create a flow log:

    Setting Value
    Project details
    Subscription Select the Azure subscription of your network security group that you want to log.
    Network security group Select + Select resource.
    In Select network security group, select myNSG. Then, select Confirm selection.
    Flow Log Name Enter a name for the flow log or leave the default name. By default, Azure portal creates {network-security-group}-{resource-group}-flowlog flow log in NetworkWatcherRG resource group.
    Instance details
    Subscription Select the Azure subscription of your storage account.
    Storage Accounts Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
    Retention (days) Enter a retention time for the logs. Enter 0 if you want to retain the flow logs data in the storage account forever (until you delete it from the storage account). For information about pricing, see Azure Storage pricing.

    Screenshot of the Basics tab of Create a flow log in the Azure portal.

    Note

    If the storage account is in a different subscription, the network security group and storage account must be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the necessary permissions.

  5. Select Next: Analytics button, or select Analytics tab. Then enter or select the following values:

    Setting Value
    Flow Logs Version Select the flow log version. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see Log format of NSG flow logs.
    Traffic Analytics
    Enable Traffic Analytics Select the checkbox to enable traffic analytics for your flow log.
    Traffic Analytics processing interval Select the processing interval that you prefer, available options are: Every 1 hour and Every 10 mins. The default processing interval is every one hour. For more information, see Traffic Analytics.
    Subscription Select the Azure subscription of your Log Analytics workspace.
    Log Analytics Workspace Select your Log Analytics workspace. By default, Azure portal creates and selects DefaultWorkspace-{subscription-id}-{region} Log Analytics workspace in defaultresourcegroup-{Region} resource group.

    Screenshot of enabling traffic analytics for a flow log in the Azure portal.

  6. Select Review + create.

  7. Review the settings, and then select Create.

Change a flow log

You can change the properties of a flow log after you create it. For example, you can change the flow log version or disable traffic analytics.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the flow log that you want to change.

  4. In Flow logs settings, you can change any of the following settings:

    • Flow Logs Version: Change the flow log version. Available versions are: version 1 and version 2. Version 2 is selected by default when you create a flow log using the Azure portal. For more information about flow logs versions, see Log format of NSG flow logs.
    • Storage Account: Change the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
    • Retention (days): Change the retention time in the storage account. Enter 0 if you want to retain the flow logs data in the storage account forever (until you manually delete the data from the storage account).
    • Traffic Analytics: Enable or disable traffic analytics for your flow log. For more information, see Traffic Analytics.
    • Traffic Analytics processing interval: Change the processing interval of traffic analytics (if traffic analytics is enabled). Available options are: one hour and 10 minutes. The default processing interval is every one hour. For more information, see Traffic Analytics.
    • Log Analytics workspace: Change the Log Analytics workspace that you want to save the flow logs to (if traffic analytics is enabled).

    Screenshot of Flow logs settings page in the Azure portal where you can change some settings.

List all flow logs

You can list all flow logs in a subscription or a group of subscriptions. You can also list all flow logs in a region.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. Select Subscription equals filter to choose one or more of your subscriptions. You can apply other filters like Location equals to list all the flow logs in a region.

    Screenshot shows how to use filters to list all existing flow logs in a subscription using the Azure portal.

View details of a flow log resource

You can view the details of a flow log in a subscription or a group of subscriptions. You can also list all flow logs in a region.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the flow log that you want to see.

  4. In Flow logs settings, you can view the settings of the flow log resource.

    Screenshot of Flow logs settings page in the Azure portal.

Download a flow log

The storage location of a flow log is defined at creation. To access and download flow logs from your storage account, you can use Azure Storage Explorer. Fore more information, see Get started with Storage Explorer.

NSG flow log files saved to a storage account follow this path:

https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{NetworkSecurityGroupName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

For information about the structure of a flow log, see Log format of NSG flow logs.

Disable a flow log

You can temporarily disable an NSG flow log without deleting it. Disabling a flow log stops flow logging for the associated network security group. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured network security group.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to disable.

  4. Select Disable.

    Screenshot shows how to disable a flow log in the Azure portal.

Note

If traffic analytics is enabled for a flow log, it must disabled before you can disable the flow log. To disable traffic analytics, see Change a flow log.

Delete a flow log

You can permanently delete an NSG flow log. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same network security group, you must create a new flow log for it.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to delete.

  4. Select Delete.

    Screenshot shows how to delete a flow log in the Azure portal.

Note

Deleting a flow log does not delete the flow log data from the storage account. Flow logs data stored in the storage account follows the configured retention policy or stays stored in the storage account until manually deleted (in case no retention policy is configured).

Next steps