Azure NSG Flow Logs (10401 / 20401)

Description

This Module reports NSG Flow Logs ingested from Azure clooud translating them one-to-one in syslog or JSON formats, and enriching them with Azure data not reported in NSG Flow Logs natively.

Parameters

Parameter Name
Description
Comments
Azure VM Instances
VMs with IPv4, IPv6, Subscription ID, Subscription Name, VM Name, NSG Name, Virtual Network Name, etc
Provided by EDF agent
Azure IPv4 Routes
IP range, source and destination Virtual Network hash
Provided by EDF agent
Azure IPv6 Routes
IP range, source and destination Virtual Network hash
Provided by EDF agent
Azure IPv4 Ranges
IPv4 ranges, Service name, Region
Provided by EDF agent
Azure IPv6 Ranges
IPv6 ranges, Service name, Region
Provided by EDF agent

Input

Azure NSG Flow Logs

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20401”
exp_ip
Exporter Ipv4 address
<IPv4 address> (added for compatibility with other flows)
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
direction
The direction of the traffic flow
<string>
decision
Whether traffic was allowed or denied
<string>, valid values are “A” for allowed and “D” for denied
state
State of the flow
<string>, possible states are “B”: Begin, “C”: Continuing, “E”: End
src_ip
Source VM instance IPv4 address
<IPv4 address>
[src_ip6]
Source VM instance Ipv6 address
<IPv6 address>
[src_host]
Source host name
<string>, included when FQDN is on
[src_subs_id]
Source Subscription ID
<string>
[src_subs_name]
Source Subscription Name
<string>
[src_vm_name]
Source VM name
<string>
[src_nsg_name]
Source NSG name
<string>
[src_vnet_name]
Source Virtual Network name
<string>
[src_subnetwork_name]
Source Subnet name
<string>
[src_region]
Source Region
<string>
[src_res_grp_name]
Source Resource Group Name
<string>
src_port
Source port number
<number>
dest_ip
Destination VM instance IPv4 address
<IPv4 address>
[dest_ip6]
Destination VM instance Ipv6 address
<IPv6 address>
[dest_host]
Destination host name
<string>, included when FQDN is on
[dest_subs_id]
Destination Subscription ID
<string>
[dest_subs_name]
Destination Subscription Name
<string>
[dest_vm_name]
Destination VM name
<string>
[dest_nsg_name]
Destination NSG name
<string>
[dest_vnet_name]
Destination Virtual Network name
<string>
[dest_subnetwork_name]
Destination Subnet name
<string>
[dest_region]
Destination Region
<string>
[dest_res_grp_name]
Destination Resource Group Name
<string>
dest_port
Destination port number
<number>
packets_in
Total number of packets in the consolidated flows from the source to the destination
<number>
bytes_in
Total number of Layer 3 bytes in the packets of the consolidated flows from the source to the destination
<number>
packets_out
Total number of packets in the consolidated flows from the destination to the source
<number>
bytes_out
Total number of Layer 3 bytes in the packets of the consolidated flows from the destination to the source
<number>
flow_time
This value is the time stamp of when the flow occurred
<time>

Last modified 2mo ago