View Azure NSG Flow Logs In Powershell

PowerShell on Arch Linux –

Azure can be chatty at the best of time and NSG flow logs are no exception. With this large volume comes cost and ingesting them into your SIEM may add to the pocket. Because of this, I created a simple script to display the NSG logs in a standard format. The reason being is reading this can be tiresome, especially when working in quantity:

Instead you can use something like Azure_NSGLogger to make life easier.

All you need to do is download your JSON file within your storage account which hosts your NSG logs (Help) . Once you have the file, run the script, give the location of file (Full path) and read …. simple.

Azure_NSGLogger gives multiple options, such as the GUI option for those not wanting console view:

This method allows you to dynamically filter and search through the logs. Alternative options would be to either display all within Powershell or to filter by IP or Port.

Hopefully you find this useful and for similar scripts, please visit my GitHub: 🙂

8 responses to “View Azure NSG Flow Logs In Powershell”

  1. JV avatar

    Thank you for the reply! I am using the console and running the script via Powershell on linux.
    Also – I had initially tried to email via the link at the bottom of this page and got a delivery error. =)


  2. Securethelogs avatar

    Hey, I’ve not experienced myself but how are you outputting?

    Console or Outgrid ?


  3. JV avatar

    Thank you for creating such a useful tool. I was just starting out on attempting to parse these out into a usable format when I found your script.

    However, my output seems to be missing the majority of events. If I dump the flow tuples out, I have about 20k events. When using the tool, I end up with about 2k events. I have no powershell experience, but looking over the script I don’t see anything that would be limiting the output to unique entries or anything like that.

    Is this something you have experienced in the past?


  4. Building an NSG logger avatar

    […] Securethelogs Blue Team, Cyber Security, Enterprise 23rd Oct 202023rd Oct 2020 7 Minutes […]


  5. Securethelogs avatar

    You’re welcome 🙂 glad you like it.


  6.  avatar

    Thanks for this script! I love it.

    Liked by 1 person

  7. Securethelogs avatar

    Because unless I’m wrong there is a pre-req to have Log analytics enable which comes at a cost? All I’ve heard about LA is be very careful enabling as it’s where all the money goes.


  8. gobinath avatar

    why didnt you use traffic analytics?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: