View Azure NSG Flow Logs In Powershell

PowerShell on Arch Linux – pikedom.com

Azure can be chatty at the best of time and NSG flow logs are no exception. With this large volume comes cost and ingesting them into your SIEM may add to the pocket. Because of this, I created a simple script to display the NSG logs in a standard format. The reason being is reading this can be tiresome, especially when working in quantity:

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview

Instead you can use something like Azure_NSGLogger to make life easier.
https://github.com/securethelogs/Powershell/blob/master/Azure/Azure_NSGLogger.ps1

All you need to do is download your JSON file within your storage account which hosts your NSG logs (Help) . Once you have the file, run the script, give the location of file (Full path) and read …. simple.

Azure_NSGLogger gives multiple options, such as the GUI option for those not wanting console view:

This method allows you to dynamically filter and search through the logs. Alternative options would be to either display all within Powershell or to filter by IP or Port.

Hopefully you find this useful and for similar scripts, please visit my GitHub: https://github.com/securethelogs 🙂

8 responses to “View Azure NSG Flow Logs In Powershell”

    • Because unless I’m wrong there is a pre-req to have Log analytics enable which comes at a cost? All I’ve heard about LA is be very careful enabling as it’s where all the money goes.

      Like

  1. Thank you for creating such a useful tool. I was just starting out on attempting to parse these out into a usable format when I found your script.

    However, my output seems to be missing the majority of events. If I dump the flow tuples out, I have about 20k events. When using the tool, I end up with about 2k events. I have no powershell experience, but looking over the script I don’t see anything that would be limiting the output to unique entries or anything like that.

    Is this something you have experienced in the past?

    Like

      • Thank you for the reply! I am using the console and running the script via Powershell on linux.
        Also – I had initially tried to email via the link at the bottom of this page and got a delivery error. =)

        Like

Leave a Reply to gobinath Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: