To collect NSG Flow Logs, at a high-level, you need to perform the following steps:
- Enable NSG flow logs via the Azure Portal
- Configure a Sumo Logic Hosted Collector and HTTP Source
- Run the PowerShell scripts to stream logs to the Sumo Logic Hosted Collector
Enable NSG flow logs via the Azure Portal
- To enable NSG flow logs, follow the steps detailed in Microsoft's Azure Network Watcher documentation.
Configure a Hosted Collector and HTTP Source
Run the PowerShell Scripts
- Download the PowerShell scripts.
- Extract the scripts to your desired location.
- Right click on each script (total of six) and click Properties > Unblock to unblock all scripts.
- Open the script
azureConfig.ps1in an editor and provide the value of $SUMO_URL. This should be set to the URL of the Sumo Logic Hosted collector configured earlier. Save the file and close it.
- Open the PowerShell Integrated Scripting Environment and navigate to the directory where you extracted the scripts. Run the script by executing the following command:
.\initSetup.ps1 <AzureStorageName> <AzureStorageAccessKey>
AzureStorageName is name of the Storage account where your Network Watcher Flow logs were configured to be stored when you enabled NSG flow logs via the Azure Portal.
AzureStorageAccessKey is the access key for your storage account. You can find the access key in Azure Portal at All resources > Your Storage Account > Access keys
initSetup.ps1will create all the environment variables and files required by the script
- Open the Task Scheduler and create a new task to execute the
SumoGetLogs.ps1script every hour. This script will download blob log files from your storage account and stream flow logs to Sumo Logic’s hosted collector.
- Create a task name, select Run whether user is logged on or not
- Add a Trigger to run indefinitely, every hour, every day
- Add an Action to Start a program.
- Program/script. Provide the path to
powershell.exe. For example:
- Add arguments. Specify the following arguments, including the leading hyphen ("-"):
-ExecutionPolicy Bypass <directory where scripts were extracted>\SumoGetLogs.ps1 2>&1 ><directory where scripts were extracted>\log.txt
For example (all on one line):
-ExecutionPolicy Bypass C:\Network_Watcher_V1\SumoGetLogs.ps1 2>&1 >C:\Network_Watcher_V1\log.txtThe script, SumoGetLogs.ps1, will write to
- Click Ok and then Ok again to finish creating the task. You can right click on the newly created task to run it manually for the first time or wait for next scheduled run.
After the script has run for the first time, review
<directory where scripts were extracted>\log.txt to make sure there are no errors.