Azure NSG Flow Logs (10401 / 20401)
Description
This Module reports NSG Flow Logs ingested from Azure clooud translating them one-to-one in syslog or JSON formats, and enriching them with Azure data not reported in NSG Flow Logs natively.
Parameters
| Parameter Name | Description | Comments | 
|---|---|---|
| Azure VM Instances | VMs with IPv4, IPv6, Subscription ID, Subscription Name, VM Name, NSG Name, Virtual Network Name, etc | Provided by EDF agent | 
| Azure IPv4 Routes | IP range, source and destination Virtual Network hash | Provided by EDF agent | 
| Azure IPv6 Routes | IP range, source and destination Virtual Network hash | Provided by EDF agent | 
| Azure IPv4 Ranges | IPv4 ranges, Service name, Region | Provided by EDF agent | 
| Azure IPv6 Ranges | IPv6 ranges, Service name, Region | Provided by EDF agent | 
Input
Azure NSG Flow Logs
Syslog/JSON Message Fields
| Key | Field Description | Comments | 
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20401” | 
| exp_ip | Exporter Ipv4 address | <IPv4 address> (added for compatibility with other flows) | 
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> | 
| direction | The direction of the traffic flow | <string> | 
| decision | Whether traffic was allowed or denied | <string>, valid values are “A” for allowed and “D” for denied | 
| state | State of the flow | <string>, possible states are “B”: Begin, “C”: Continuing, “E”: End | 
| src_ip | Source VM instance IPv4 address | <IPv4 address> | 
| [src_ip6] | Source VM instance Ipv6 address | <IPv6 address> | 
| [src_host] | Source host name | <string>, included when FQDN is on | 
| [src_subs_id] | Source Subscription ID | <string> | 
| [src_subs_name] | Source Subscription Name | <string> | 
| [src_vm_name] | Source VM name | <string> | 
| [src_nsg_name] | Source NSG name | <string> | 
| [src_vnet_name] | Source Virtual Network name | <string> | 
| [src_subnetwork_name] | Source Subnet name | <string> | 
| [src_region] | Source Region | <string> | 
| [src_res_grp_name] | Source Resource Group Name | <string> | 
| src_port | Source port number | <number> | 
| dest_ip | Destination VM instance IPv4 address | <IPv4 address> | 
| [dest_ip6] | Destination VM instance Ipv6 address | <IPv6 address> | 
| [dest_host] | Destination host name | <string>, included when FQDN is on | 
| [dest_subs_id] | Destination Subscription ID | <string> | 
| [dest_subs_name] | Destination Subscription Name | <string> | 
| [dest_vm_name] | Destination VM name | <string> | 
| [dest_nsg_name] | Destination NSG name | <string> | 
| [dest_vnet_name] | Destination Virtual Network name | <string> | 
| [dest_subnetwork_name] | Destination Subnet name | <string> | 
| [dest_region] | Destination Region | <string> | 
| [dest_res_grp_name] | Destination Resource Group Name | <string> | 
| dest_port | Destination port number | <number> | 
| packets_in | Total number of packets in the consolidated flows from the source to the destination | <number> | 
| bytes_in | Total number of Layer 3 bytes in the packets of the consolidated flows from the source to the destination | <number> | 
| packets_out | Total number of packets in the consolidated flows from the destination to the source | <number> | 
| bytes_out | Total number of Layer 3 bytes in the packets of the consolidated flows from the destination to the source | <number> | 
| flow_time | This value is the time stamp of when the flow occurred | <time> |