Skip to main content
Sumo Logic

Collect Logs for Azure Network Watcher

To collect NSG Flow Logs, at a high-level, perform the following steps:

  1. Enable NSG flow logs via the Azure Portal
  2. Configure a Sumo Logic Hosted Collector and HTTP Source
  3. Run the PowerShell scripts to stream logs to the Sumo Logic Hosted Collector

Enable NSG flow logs via the Azure Portal

  1. To enable NSG flow logs, follow the steps detailed in Microsoft's Azure Network Watcher documentation.

Configure a Hosted Collector and HTTP Source

  1. If you do not already have one set up, add a Hosted Collector. Make a note of the assigned URL; you will need it to configure the PowerShell Scripts.
  2. Add an HTTP Source
    1. For Time Zone, select UTC.
    2. All other settings can remain with their default values.

Run the PowerShell Scripts

  1. Download the PowerShell scripts.
  2. Extract the scripts to your desired location.
  3. Right click on each script (total of six) and click Properties > Unblock to unblock all scripts.Unblocking scripts
  4. Open the script azureConfig.ps1 in an editor and provide the value of $SUMO_URL. This should be set to the URL of the Sumo Logic Hosted collector configured earlier. Save the file and close it.
  5. Open the PowerShell Integrated Scripting Environment and navigate to the directory where you extracted the scripts. Run the script by executing the following command:

    .\initSetup.ps1 <AzureStorageName> <AzureStorageAccessKey>

    AzureStorageName is name of the Storage account where your Network Watcher Flow logs were configured to be stored when you enabled NSG flow logs via the Azure Portal.

    AzureStorageAccessKey is the access key for your storage account. You can find the access key in Azure Portal at   All resources > Your Storage Account  > Access keys
    Azure PowerScript

    The PowerScript initSetup.ps1 will create all the environment variables and files required by the script SumoGetLogs.ps1.
  6. Open the Task Scheduler and create a new task to execute the SumoGetLogs.ps1 script every hour.  This script will download blob log files from your storage account and stream flow logs to Sumo Logic’s hosted collector.  
    1. Create a task name, select  Run whether user is logged on or notCreate task
    2. Add a Trigger to run indefinitely, every hour, every dayNew trigger
    3. Add an Action to Start a program.
      Add an action
    4. Program/script. Provide the path to powershell.exe. For example: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    5. Add arguments. Specify the following arguments, including the leading hyphen ("-"): 
      -ExecutionPolicy Bypass <directory where scripts were extracted>\SumoGetLogs.ps1 2>&1 ><directory where scripts were extracted>\log.txt
      For example (all on one line): -ExecutionPolicy Bypass C:\Network_Watcher_V1\SumoGetLogs.ps1 2>&1 >C:\Network_Watcher_V1\log.txtThe script, SumoGetLogs.ps1, will write to log.txt.
  7. Click Ok and then Ok again to finish creating the task. You can right click on the newly created task to run it manually for the first time or wait for next scheduled run. 

After the script has run for the first time, review <directory where scripts were extracted>\log.txt to make sure there are no errors.