Microsoft Azure NSG Flow Logs

NSG flow logs are stored in a storage account in block blobs. Block blobs are made up of smaller blocks. Each log is a separate block blob that is generated every hour. New logs are generated every hour, the logs are updated with new entries every few minutes with the latest data.

Integration with LogicHub

Connecting with Microsoft Azure NSG Flow Logs

To connect to Microsoft Azure NSG Flow Logs following details are required

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • Storage Account Name: Storage Account name in which logs are stored.
  • Storage Account Access Key: Access Key required for authentication to Microsoft Azure Storage account

Actions with Microsoft Azure NSG Flow Logs

Get Logs

Fetch Flow log tuples of Azure NSG Flow. Blocks are generated per minute. So query on larger time range will carry more number of requests(one request per minute of time range). As an example one hour range will hit Azure servers 60 times to fetch all data which are divided into 60 files (and would be quite slow)

Inputs to this action

  • Resource Group: Resource group to which Storage account is linked
  • NSG Name: NSG name for which logs are to be retrieved.
  • Mac Address: Jinja templated Mac address for which logs are to be retrieved. Example: 000D3AF65286
  • Start Time: Start time in ISO format for logs to be retrieved. Example: 2019-09-26T07:58:30.996+02:00. Default is execution start time.
  • End Time: End time in ISO format for logs to be retrieved. Example: 2019-09-26T07:58:30.996+02:00. Default is execution end time.

Output of Action
Array of JSON in individual rows with each containing the following items:

  • has_error: True/False
  • error: message/null
  • result: flow log tuple
{
   "error":null,
   "has_error":false,
   "result":"1620057588,10.0.0.4,20.150.87.132,48486,443,T,O,A,E,0,0,0,0"
}

Did this page help you?