Skip to main content
Sumo Logic

Collect Logs for Azure Network Watcher

Collect Logs for Azure Network Watcher

To collect NSG Flow Logs, you perform the following steps:

  1. Enable NSG flow logs via the Azure Portal.
  2. Run the PowerShell scripts to configure environment variables.
  3. Configure a Sumo Logic Installed Collector, and a Script Source.

Step 1. Enable NSG flow logs via the Azure Portal

To enable NSG flow logs, follow the steps detailed in Microsoft's Azure Network Watcher documentation.

Step 2. Run the PowerShell Scripts

  1. Download the PowerShell scripts.
  2. Extract the scripts to your desired location.
  3. Right click on each script (total of six) and click Properties > Unblock to unblock all scripts.Unblocking scripts
  4. Open the PowerShell Integrated Scripting Environment and navigate to the directory where you extracted the scripts. Run the script by executing the following command:

    .\initSetup.ps1 <AzureStorageName> <AzureStorageAccessKey>

    AzureStorageName is name of the Storage account where your Network Watcher Flow logs were configured to be stored when you enabled NSG flow logs via the Azure Portal.

    AzureStorageAccessKey is the access key for your storage account. You can find the access key in Azure Portal at   All resources > Your Storage Account  > Access keys
    Azure PowerScript


    The PowerScript initSetup.ps1 will create all the environment variables and files required by the script SumoGetLogs.ps1.

Step 3. Configure an Installed Collector and a Script Source

  1. If you do not already have one set up, add an Installed Collector
  2. To the collector, add a Script Source.
    1. Enter the Name for the source, Description, Source Host, and Source Category.
    2. Frequency. Select Every Hour.
    3. Select Specify a timeout for your command. Choose 6 hours.
    4. Command. Select PowerShell Script.
    5. Script. Choose Type a path to the script to execute and enter the path to the script SumoGetLogs, that you extracted in the step 2 of the previous section.
    6. Under Advanced Options for Logs, use the default values for Timestamp parsing and Time Zone.
      For Timestamp Format, select the option Specify a format, and enter yyyy-MM-dd'T'HH:mm:ssNSG.png

Troubleshooting

If your installed collector runs on Windows, and you receive the following message:

Get-AzureStorageBlobContent : The specified path, file name, or both are too long. The fully qualified file name must be less than 260 characters, and the directory name must be less than 248 characters.

You can solve the problem by enabling Win32 Long Path Support. For more information, see .NET 4.6.2 and long paths on Windows 10.

Sample Log Message

{  
   "time":"2017-09-27 21:22:33.443+0000",
   "sys_id":"4181995a-801f-4075-a56c-30b3671148bf",
   "category":"NetworkSecurityGroupFlowEvent",
   "resource_id":"/SUBSCRIPTIONS/C088DC46-D692-42AD-A4B6-9A542D28AD2A/RESOURCEGROUPS/AZURELABS/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/NSG-AZURELABS-03",
   "event_name":"NetworkSecurityGroupFlowEvents",
   "rule_name":"All_prod_tcp",
   "mac":"000D3AF86058",
   "src_ip":"51.148.136.204",
   "dest_IP":"107.198.121.243",
   "src_port":"47676",
   "dest_port":"4367",
   "protocol":"T",
   "traffic_destination":"I",
   "traffic_a/d":"D"
}

Query Sample

Denied Traffic Flow by Source Location

_sourceCategory="security/flowlogs"
| json field=_raw "rule_name" 
| json field=_raw "resource_id"
| json field=_raw "event_name"
| json field=_raw "mac"
| json field=_raw "src_ip"
| json field=_raw "dest_IP"
| json field=_raw "dest_port"
| json field=_raw "protocol"
| json field=_raw "traffic_destination"
| json field=_raw "traffic_a/d" as traffic_a_d
| parse regex field=resource_id"(?<NSG>[\w-_.]+)$"
| json field=_raw "src_port"
| where traffic_a_d = "D"
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = src_ip
| count by latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code
| sort _count