Skip to content

Commit 353a93a

Browse files
Merge pull request #233222 from halkazwini/nw-nsg-flow5
Network Watcher: Updates: Flow logs for network security groups
2 parents 758287e + 7672ec1 commit 353a93a

File tree

1 file changed

+115
-28
lines changed

1 file changed

+115
-28
lines changed

articles/network-watcher/network-watcher-nsg-flow-logging-overview.md

Lines changed: 115 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ author: halkazwini
77
ms.service: network-watcher
88
ms.topic: conceptual
99
ms.workload: infrastructure-services
10-
ms.date: 03/15/2023
10+
ms.date: 04/03/2023
1111
ms.author: halkazwini
1212
ms.custom: template-concept, engagement-fy23
1313
---
@@ -193,35 +193,120 @@ Here's an example format of a version 1 NSG flow log:
193193
]
194194
}
195195
},
196-
"records":
197-
[
198-
199-
{
200-
"time": "2017-02-16T22:00:32.8950000Z",
201-
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
202-
"category": "NetworkSecurityGroupFlowEvent",
203-
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
204-
"operationName": "NetworkSecurityGroupFlowEvents",
205-
"properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A","1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A","1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A","1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"]}]}]}
206-
}
207-
,
208-
{
209-
"time": "2017-02-16T22:01:32.8960000Z",
210-
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
211-
"category": "NetworkSecurityGroupFlowEvent",
212-
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
213-
"operationName": "NetworkSecurityGroupFlowEvents",
214-
"properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A","1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A","1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"]}]}]}
215-
}
216-
,
217196
{
218-
"time": "2017-02-16T22:02:32.9040000Z",
219-
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
220-
"category": "NetworkSecurityGroupFlowEvent",
221-
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
222-
"operationName": "NetworkSecurityGroupFlowEvents",
223-
"properties": {"Version":1,"flows":[{"rule":"DefaultRule_DenyAllInBound","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D","1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"]}]},{"rule":"UserRule_default-allow-rdp","flows":[{"mac":"000D3AF8801A","flowTuples":["1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"]}]}]}
197+
"records": [
198+
{
199+
"time": "2017-02-16T22:00:32.8950000Z",
200+
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
201+
"category": "NetworkSecurityGroupFlowEvent",
202+
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
203+
"operationName": "NetworkSecurityGroupFlowEvents",
204+
"properties": {
205+
"Version": 1,
206+
"flows": [
207+
{
208+
"rule": "DefaultRule_DenyAllInBound",
209+
"flows": [
210+
{
211+
"mac": "000D3AF8801A",
212+
"flowTuples": [
213+
"1487282421,42.119.146.95,10.1.0.4,51529,5358,T,I,D"
214+
]
215+
}
216+
]
217+
},
218+
{
219+
"rule": "UserRule_default-allow-rdp",
220+
"flows": [
221+
{
222+
"mac": "000D3AF8801A",
223+
"flowTuples": [
224+
"1487282370,163.28.66.17,10.1.0.4,61771,3389,T,I,A",
225+
"1487282393,5.39.218.34,10.1.0.4,58596,3389,T,I,A",
226+
"1487282393,91.224.160.154,10.1.0.4,61540,3389,T,I,A",
227+
"1487282423,13.76.89.229,10.1.0.4,53163,3389,T,I,A"
228+
]
229+
}
230+
]
231+
}
232+
]
233+
}
234+
},
235+
{
236+
"time": "2017-02-16T22:01:32.8960000Z",
237+
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
238+
"category": "NetworkSecurityGroupFlowEvent",
239+
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
240+
"operationName": "NetworkSecurityGroupFlowEvents",
241+
"properties": {
242+
"Version": 1,
243+
"flows": [
244+
{
245+
"rule": "DefaultRule_DenyAllInBound",
246+
"flows": [
247+
{
248+
"mac": "000D3AF8801A",
249+
"flowTuples": [
250+
"1487282481,195.78.210.194,10.1.0.4,53,1732,U,I,D"
251+
]
252+
}
253+
]
254+
},
255+
{
256+
"rule": "UserRule_default-allow-rdp",
257+
"flows": [
258+
{
259+
"mac": "000D3AF8801A",
260+
"flowTuples": [
261+
"1487282435,61.129.251.68,10.1.0.4,57776,3389,T,I,A",
262+
"1487282454,84.25.174.170,10.1.0.4,59085,3389,T,I,A",
263+
"1487282477,77.68.9.50,10.1.0.4,65078,3389,T,I,A"
264+
]
265+
}
266+
]
267+
}
268+
]
269+
}
270+
},
271+
{
272+
"time": "2017-02-16T22:02:32.9040000Z",
273+
"systemId": "2c002c16-72f3-4dc5-b391-3444c3527434",
274+
"category": "NetworkSecurityGroupFlowEvent",
275+
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/FABRIKAMRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/FABRIAKMVM1-NSG",
276+
"operationName": "NetworkSecurityGroupFlowEvents",
277+
"properties": {
278+
"Version": 1,
279+
"flows": [
280+
{
281+
"rule": "DefaultRule_DenyAllInBound",
282+
"flows": [
283+
{
284+
"mac": "000D3AF8801A",
285+
"flowTuples": [
286+
"1487282492,175.182.69.29,10.1.0.4,28918,5358,T,I,D",
287+
"1487282505,71.6.216.55,10.1.0.4,8080,8080,T,I,D"
288+
]
289+
}
290+
]
291+
},
292+
{
293+
"rule": "UserRule_default-allow-rdp",
294+
"flows": [
295+
{
296+
"mac": "000D3AF8801A",
297+
"flowTuples": [
298+
"1487282512,91.224.160.154,10.1.0.4,59046,3389,T,I,A"
299+
]
300+
}
301+
]
302+
}
303+
]
304+
}
305+
}
306+
]
224307
}
308+
]
309+
}
225310

226311

227312
```
@@ -298,6 +383,8 @@ Here's an example format of a version 2 NSG flow log:
298383
]
299384
}
300385
}
386+
]
387+
}
301388

302389
```
303390

0 commit comments

Comments
 (0)