Редагувати

Поділитися через


Create, change, enable, disable, or delete virtual network flow logs using the Azure portal

Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see Virtual network flow logs overview.

In this article, you learn how to create, change, enable, disable, or delete a virtual network flow log using the Azure portal. You can also learn how to manage a virtual network flow log using PowerShell or Azure CLI.

Prerequisites

Register Insights provider

Microsoft.Insights provider must be registered to successfully log traffic flowing through a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, check its status in the Azure portal by following these steps:

  1. In the search box at the top of the portal, enter subscriptions. Select Subscriptions from the search results.

    Screenshot that shows how to search for Subscriptions in the Azure portal.

  2. Select the Azure subscription that you want to enable the provider for in Subscriptions.

  3. Under Settings, select Resource providers.

  4. Enter insight in the filter box.

  5. Confirm the status of the provider displayed is Registered. If the status is NotRegistered, select the Microsoft.Insights provider then select Register.

    Screenshot that shows how to register Microsoft Insights provider in the Azure portal.

Create a flow log

Create a flow log for your virtual network, subnet, or network interface. This flow log is saved in an Azure storage account.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select + Create or Create flow log blue button.

    Screenshot of Network Watcher flow logs in the Azure portal.

  4. On the Basics tab of Create a flow log, enter or select the following values:

    Setting Value
    Project details
    Subscription Select the Azure subscription of your virtual network that you want to log.
    Flow log type Select Virtual network then select + Select target resource (available options are: Virtual network, Subnet, and Network interface).
    Select the resources that you want to flow log, then select Confirm selection.
    Flow Log Name Enter a name for the flow log or leave the default name. Azure portal uses {ResourceName}-{ResourceGroupName}-flowlog as a default name for the flow log.
    Instance details
    Subscription Select the Azure subscription of the storage account.
    Storage accounts Select the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
    Retention (days) Enter a retention time for the logs (this option is only available with Standard general-purpose v2 storage accounts). Enter 0 if you want to retain the flow logs data in the storage account forever (until you manually delete it from the storage account). For information about pricing, see Azure Storage pricing.

    Screenshot that shows the Basics tab of creating a virtual network flow log in the Azure portal.

    Note

    If the storage account is in a different subscription, the resource that you're logging (virtual network, subnet, or network interface) and the storage account must be associated with the same Microsoft Entra tenant. The account you use for each subscription must have the necessary permissions.

  5. To enable traffic analytics, select Next: Analytics button, or select the Analytics tab. Enter or select the following values:

    Setting Value
    Enable traffic analytics Select the checkbox to enable traffic analytics for your flow log.
    Traffic analytics processing interval Select the processing interval that you prefer, available options are: Every 1 hour and Every 10 mins. The default processing interval is every one hour. For more information, see Traffic analytics.
    Subscription Select the Azure subscription of your Log Analytics workspace.
    Log Analytics Workspace Select your Log Analytics workspace. By default, Azure portal creates DefaultWorkspace-{SubscriptionID}-{Region} Log Analytics workspace in defaultresourcegroup-{Region} resource group.

    Screenshot that shows how to enable traffic analytics for a new flow log in the Azure portal.

    Note

    To create and select a Log Analytics workspace other than the default one, see Create a Log Analytics workspace

  6. Select Review + create.

  7. Review the settings, and then select Create.

Enable or disable traffic analytics

Enable traffic analytics for a flow log to analyze the flow log data. Traffic analytics provides insights into the traffic patterns of your virtual network. You can enable or disable traffic analytics for a flow log at any time.

To enable traffic analytics for a flow log, follow these steps:

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the flow log that you want to enable traffic analytics for.

  4. In Flow logs settings, under Traffic analytics, check the Enable traffic analytics checkbox.

    Screenshot that shows how to enable traffic analytics for an existing flow log in the Azure portal.

  5. Enter or select the following values:

    Setting Value
    Subscription Select the Azure subscription of your Log Analytics workspace.
    Log Analytics workspace Select your Log Analytics workspace. By default, Azure portal creates DefaultWorkspace-{SubscriptionID}-{Region} Log Analytics workspace in defaultresourcegroup-{Region} resource group.
    Traffic logging interval Select the processing interval that you prefer, available options are: Every 1 hour and Every 10 mins. The default processing interval is every one hour. For more information, see Traffic analytics.

    Screenshot that shows configurations of traffic analytics for an existing flow log in the Azure portal.

  6. Select Save to apply the changes.

To disable traffic analytics for a flow log, take the previous steps 1-3, then uncheck the Enable traffic analytics checkbox and select Save.

Screenshot that shows how to disable traffic analytics for an existing flow log in the Azure portal.

Change flow log settings

You can configure and change a flow log after you create it. For example, you can change the storage account or Log Analytics workspace.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the flow log that you want to change.

  4. In Flow logs settings, you can change any of the following settings:

    Setting Value
    Storage account
    Subscription Change the Azure subscription of the storage account that you want to use.
    Storage account Change the storage account that you want to save the flow logs to. If you want to create a new storage account, select Create a new storage account.
    Retention (days) Change the retention time in the storage account. Enter 0 if you want to retain the flow logs data in the storage account forever (until you manually delete the data from the storage account).
    Traffic analytics
    Enable traffic analytics Enable or disable traffic analytics by checking or unchecking the checkbox.
    Subscription Change the Azure subscription of the Log Analytics workspace that you want to use.
    Log analytics workspace Change the Log Analytics workspace that you want to save the flow logs to (if traffic analytics is enabled).
    Traffic logging interval Change the processing interval of traffic analytics (if traffic analytics is enabled). Available options are: one hour and 10 minutes. The default processing interval is every one hour. For more information, see Traffic Analytics.

    Screenshot that shows how to edit flow log's settings in the Azure portal where you can change some virtual network flow log settings.

  5. Select Save to apply the changes or Cancel to exit without saving them.

List all flow logs

You can list all flow logs in a subscription or a group of subscriptions. You can also list all flow logs in a region.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. Select Subscription equals filter to choose one or more of your subscriptions. You can apply other filters like Location equals to list all the flow logs in a region.

    Screenshot that shows how to list existing flow logs in the Azure portal.

View details of a flow log resource

You can view the details of a flow log in a subscription or a group of subscriptions. You can also list all flow logs in a region.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the flow log that you want to see.

  4. In Flow logs settings, you can view the settings of the flow log resource.

    Screenshot of Flow logs settings page in the Azure portal.

  5. Select Cancel to close the settings page without making changes.

Download a flow log

You can download the flow logs data from the storage account that you saved the flow log to.

  1. In the search box at the top of the portal, enter storage accounts. Select Storage accounts from the search results.

  2. Select the storage account you used to store the logs.

  3. Under Data storage, select Containers.

  4. Select the insights-logs-flowlogflowevent container.

  5. In insights-logs-flowlogflowevent, navigate the folder hierarchy until you get to the PT1H.json file that you want to download. Virtual network flow log files follow the following path:

    https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/{subscriptionID}_NETWORKWATCHERRG/NETWORKWATCHER_{Region}_{ResourceName}-{ResourceGroupName}-FLOWLOGS/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json
    
  6. Select the ellipsis ... to the right of the PT1H.json file, then select Download.

    Screenshot shows how to download a virtual network flow log data file from the storage account container in the Azure portal.

Note

As an alternative way to access and download flow logs from your storage account, you can use Azure Storage Explorer. For more information, see Get started with Storage Explorer.

For information about the structure of a flow log, see Log format of virtual network flow logs.

Disable a flow log

You can temporarily disable a virtual network flow log without deleting it. Disabling a flow log stops flow logging for the associated virtual network. However, the flow log resource remains with all its settings and associations. You can re-enable it at any time to resume flow logging for the configured virtual network.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to disable.

  4. Select Disable.

    Screenshot shows how to disable a flow log in the Azure portal.

Note

If traffic analytics is enabled for a flow log, you must disable it before you can disable the flow log. To disable traffic analytics, see Enable or disable traffic analytics.

Enable a flow log

You can enable a virtual network flow log that you previously disabled to resume flow logging with the same settings you previously selected.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to enable.

  4. Select Enable.

    Screenshot shows how to enable a flow log in the Azure portal.

Delete a flow log

You can permanently delete a virtual network flow log. Deleting a flow log deletes all its settings and associations. To begin flow logging again for the same virtual network, you must create a new flow log for it.

  1. In the search box at the top of the portal, enter network watcher. Select Network Watcher from the search results.

  2. Under Logs, select Flow logs.

  3. In Network Watcher | Flow logs, select the checkbox of the flow log that you want to delete.

  4. Select Delete.

    Screenshot shows how to delete a flow log in the Azure portal.

Note

Deleting a flow log doesn't delete the flow log data from the storage account. Flow logs data stored in the storage account follows the configured retention policy or stays stored in the storage account until manually deleted.