Skip to main content
Sumo Logic

Collect Logs for the Azure Network Watcher App

This document provides instructions for configuring the collection of NSG Flow Logs for the Azure Network Watcher App. This process includes the following requirements and tasks:

Configuration requirements

Before you begin configuring NSG Flow Log collection, make sure the following environment prerequisites are met:

  • Your Storage Account must be of type General-purpose v2 or Blob storage.
  • Your Network Security Group and Storage Account should be in same resource location.

Step 1: Configure Azure Storage Account

In this step you configure a storage account and a container to which you will export network flow logs. To create new storage account and container, see Step 1 in Collect Logs from Blob Storage, then continue with Step 2 below.

If you have a storage account with a container that you want to use for this purpose, make a note of its resource group, storage account name and container name, then proceed to Step 2 below.

Step 2: Configure an HTTP source

This section demonstrates how to configure an HTTP source to receive logs from the Azure function.

To configure an HTTP source for Azure, do the following:
  1. Select a hosted collector where you want to configure the HTTP source. If desired, create a new hosted collector, as described on Configure a Hosted Collector.
  2. Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step. I
  3. In Advanced Options for Logs, under Timestamp Format, click Specify a format and enter the following:
  • Specify Format as epoch
  • Specify Timestamp locator as \"time\": (.*),

Step 3: Configure Azure Resources using ARM template

To deploy a Sumo provided ARM template, follow the in instructions in Step 3 in Collect Logs from Azure Blob Storage.

Step 4. Enable NSG flow logs via the Azure Portal

In this step you enable NSG flow logs with the Azure portal.

  1. Enable the flow logs to point to the storage account you configured in Step 1: Configure Azure Storage Account.
  2. Follow the steps detailed in the Microsoft Azure Network Watcher documentation.

Troubleshooting

If logs don't start flowing into Sumo Logic after you perform the configuration above, see Troubleshoot Azure Blob Storage Log Collection.

Sample Log Message

{  
  "time":"2017-09-27 21:22:33.443+0000",
  "sys_id":"4181995a-801f-4075-a56c-30b3671148bf",
  "category":"NetworkSecurityGroupFlowEvent",
  "resource_id":"/SUBSCRIPTIONS/C088DC46-D692-42AD-A4B6-9A542D28AD2A/RESOURCEGROUPS/AZURELABS/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-AZURELABS-03",
  "event_name":"NetworkSecurityGroupFlowEvents",
  "rule_name":"All_prod_tcp",
  "mac":"000D3AF86058",
  "src_ip":"51.148.136.204",
  "dest_IP":"107.198.121.243",
  "src_port":"47676",
  "dest_port":"4367",
  "protocol":"T",
  "traffic_destination":"I",
  "traffic_a/d":"D"
}

Query Sample

Denied Traffic Flow by Source Location

_sourceCategory="security/flowlogs"
| json field=_raw "rule_name" 
| json field=_raw "resource_id"
| json field=_raw "event_name"
| json field=_raw "mac"
| json field=_raw "src_ip"
| json field=_raw "dest_IP"
| json field=_raw "dest_port"
| json field=_raw "protocol"
| json field=_raw "traffic_destination"
| json field=_raw "traffic_a/d" as traffic_a_d
| parse regex field=resource_id"(?<NSG>[\w-_.]+)$"
| json field=_raw "src_port"
| where traffic_a_d = "D"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count