View Azure NSG Flow Logs In Powershell

PowerShell on Arch Linux – pikedom.com

Azure can be chatty at the best of time and NSG flow logs are no exception. With this large volume comes cost and ingesting them into your SIEM may add to the pocket. Because of this, I created a simple script to display the NSG logs in a standard format. The reason being is reading this can be tiresome, especially when working in quantity:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

Instead you can use something like Azure_NSGLogger to make life easier.
https://github.com/securethelogs/Powershell/blob/master/Azure/Azure_NSGLogger.ps1

All you need to do is download your JSON file within your storage account which hosts your NSG logs (Help) . Once you have the file, run the script, give the location of file (Full path) and read …. simple.

Azure_NSGLogger gives multiple options, such as the GUI option for those not wanting console view:

This method allows you to dynamically filter and search through the logs. Alternative options would be to either display all within Powershell or to filter by IP or Port.

Hopefully you find this useful and for similar scripts, please visit my GitHub: https://github.com/securethelogs 🙂

Securethelogs

, , , , , ,

8 responses to “View Azure NSG Flow Logs In Powershell”

  1. JV avatar
    JV

    Thank you for the reply! I am using the console and running the script via Powershell on linux.
    Also – I had initially tried to email via the link at the bottom of this page and got a delivery error. =)

    Like

  2. Securethelogs avatar
    Securethelogs

    Hey, I’ve not experienced myself but how are you outputting?

    Console or Outgrid ?

    Like

  3. JV avatar
    JV

    Thank you for creating such a useful tool. I was just starting out on attempting to parse these out into a usable format when I found your script.

    However, my output seems to be missing the majority of events. If I dump the flow tuples out, I have about 20k events. When using the tool, I end up with about 2k events. I have no powershell experience, but looking over the script I don’t see anything that would be limiting the output to unique entries or anything like that.

    Is this something you have experienced in the past?

    Like

  4. Building an NSG logger avatar
    Building an NSG logger

    […] Securethelogs Blue Team, Cyber Security, Enterprise 23rd Oct 202023rd Oct 2020 7 Minutes https://securethelogs.com/2020/09/17/view-azure-nsg-flow-logs-in-powershell/ […]

    Like

  5. Securethelogs avatar
    Securethelogs

    You’re welcome 🙂 glad you like it.

    Like

  6. avatar
    Anonymous

    Thanks for this script! I love it.

    Liked by 1 person

  7. Securethelogs avatar
    Securethelogs

    Because unless I’m wrong there is a pre-req to have Log analytics enable which comes at a cost? All I’ve heard about LA is be very careful enabling as it’s where all the money goes.

    Like

  8. gobinath avatar
    gobinath

    why didnt you use traffic analytics?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: