Редагувати

Поділитися через


Create, change, enable, disable, or delete virtual network flow logs using Azure PowerShell

Virtual network flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an Azure virtual network. For more information about virtual network flow logging, see Virtual network flow logs overview.

In this article, you learn how to create, change, enable, disable, or delete a virtual network flow log using Azure PowerShell. You can learn how to manage a virtual network flow log using the Azure portal or Azure CLI.

Prerequisites

Register insights provider

Microsoft.Insights provider must be registered to successfully log traffic in a virtual network. If you aren't sure if the Microsoft.Insights provider is registered, use Register-AzResourceProvider to register it.

# Register Microsoft.Insights provider.
Register-AzResourceProvider -ProviderNamespace Microsoft.Insights

Enable virtual network flow logs

Use New-AzNetworkWatcherFlowLog to create a virtual network flow log.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name myStorageAccount -ResourceGroupName myResourceGroup

# Create a VNet flow log.
New-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id

Enable virtual network flow logs and traffic analytics

Use New-AzOperationalInsightsWorkspace to create a traffic analytics workspace, and then use New-AzNetworkWatcherFlowLog to create a virtual network flow log that uses it.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name myStorageAccount -ResourceGroupName myResourceGroup

# Create a traffic analytics workspace and place its configuration into a variable.
$workspace = New-AzOperationalInsightsWorkspace -Name myWorkspace -ResourceGroupName myResourceGroup -Location EastUS

# Create a VNet flow log.
New-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id -EnableTrafficAnalytics -TrafficAnalyticsWorkspaceId $workspace.ResourceId -TrafficAnalyticsInterval 10

List all flow logs in a region

Use Get-AzNetworkWatcherFlowLog to list all flow log resources in a particular region in your subscription.

# Get all flow logs in East US region.
Get-AzNetworkWatcherFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG | format-table Name

View virtual network flow log resource

Use Get-AzNetworkWatcherFlowLog to see details of a flow log resource.

# Get the flow log details.
Get-AzNetworkWatcherFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -Name myVNetFlowLog

Download a flow log

To download virtual network flow logs from your storage account, use Get-AzStorageBlobContent cmdlet.

Virtual network flow log files are saved to the storage account at the following path:

https://{storageAccountName}.blob.core.windows.net/insights-logs-flowlogflowevent/flowLogResourceID=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_{Region}/FLOWLOGS/{FlowlogResourceName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

Note

You can also access and download VNet flow logs files from the storage account container using the Azure Storage Explorer. Storage Explorer is a standalone app that you can conveniently use to access and work with Azure Storage data. For more information, see Get started with Storage Explorer.

Disable traffic analytics on flow log resource

To disable traffic analytics on the flow log resource and continue to generate and save virtual network flow logs to storage account, use Set-AzNetworkWatcherFlowLog.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name mynwstorageaccount -ResourceGroupName Storage

# Update the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $true -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id

Disable virtual network flow logging

To disable a virtual network flow log without deleting it so you can re-enable it later, use Set-AzNetworkWatcherFlowLog.

# Place the virtual network configuration into a variable.
$vnet = Get-AzVirtualNetwork -Name myVNet -ResourceGroupName myResourceGroup
# Place the storage account configuration into a variable.
$storageAccount = Get-AzStorageAccount -Name mynwstorageaccount -ResourceGroupName Storage

# Disable the VNet flow log.
Set-AzNetworkWatcherFlowLog -Enabled $false -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG -StorageId $storageAccount.Id -TargetResourceId $vnet.Id

Delete a virtual network flow log resource

To delete a virtual network flow log resource, use Remove-AzNetworkWatcherFlowLog.

# Delete the VNet flow log.
Remove-AzNetworkWatcherFlowLog -Name myVNetFlowLog -NetworkWatcherName NetworkWatcher_eastus -ResourceGroupName NetworkWatcherRG