Skip to main content
Version: 2.10.0

Azure Top Traffic Monitor (10467 / 20467)

Description​

This Module identifies Azure VMs with the most traffic. It consolidates NSG Flow Logs records over a period of time (Data Collection Interval) which all have the same combination of the following fields:

  • Source IP address
  • Destination IP address
  • Source port number
  • Destination port number
  • Layer 3 protocol

This information is provided per Virtual Network (Exporter). The Module also enriches them with Azure data not reported in NSG Flow Logs natively.

De-duplication: optionally the Module can report consolidated flows only from authoritative Virtual Network. Authoritative NSG is determined as follows. The Module sums up bytes, packets, and connections between two communicating peers over data collection interval reported by each Virtual Network. A Virtual Network with most connections (flows) for each consolidated flow is considered authoritative, and flows reported for the same two peers by all other Virtual Networks are discarded.

Parameters​

Parameter NameDescriptionComments
Data Collection Interval, secModule logic execution intervalmin = 5 sec, max = 1800 sec, default = 30 sec
N – number of reported hostsThe number of top hosts reported per Virtual Networkmin = 0, max = 100000, default = 50 (0 indicates all hosts are reported)
Share of total traffic reported, %Reported percent of total traffic per Virtual Networke.g. 98 - indicates that reported consolidated flows consuming 98% of total NetFlow exporter traffic; min = 1%, max = 100%, default = 95%. Not more than N consolidated flows will be reported
Enable(1) or disable (0) reporting by authoritative exporters onlyIf set to 1 (de-duplication enabled), the Module reports flows only from authoritative Virtual Networks (exporters)default = 0
Azure VM InstancesVMs with IPv4, IPv6, Subscription ID, Subscription Name, VM Name, NSG Name, Virtual Network Name, etcProvided by EDF agent
Azure IPv4 RoutesIP range, source and destination Virtual Network hashProvided by EDF agent
Azure IPv6 RoutesIP range, source and destination Virtual Network hashProvided by EDF agent
Azure IPv4 RangesIPv4 ranges, Service name, RegionProvided by EDF agent
Azure IPv6 RangesIPv6 ranges, Service name, RegionProvided by EDF agent

Input​

Azure NSG Flow Logs

Syslog/JSON Message Fields​

KeyField DescriptionComments
nfc_idMessage type identifier“nfc_id=20467”
exp_ipExporter Ipv4 address<IPv4 address> (added for compatibility with other flows)
protocolTransport Protocol (TCP = 6, UDP = 17)<number>
directionThe direction of the traffic flow<string>
decisionWhether traffic was allowed or denied<string>, valid values are “A” for allowed and “D” for denied
src_ipSource VM instance IPv4 address<IPv4 address>
[src_ip6]Source VM instance Ipv6 address<IPv6 address>
[src_host]Source host name<string>, included when FQDN is on
[src_subs_id]Source Subscription ID<string>
[src_subs_name]Source Subscription Name<string>
[src_vm_name]Source VM name<string>
[src_nsg_name]Source NSG name<string>
[src_vnet_name]Source Virtual Network name<string>
[src_subnetwork_name]Source Subnet name<string>
[src_region]Source Region<string>
[src_res_grp_name]Source Resource Group Name<string>
src_portSource port number<number>
dest_ipDestination VM instance IPv4 address<IPv4 address>
[dest_ip6]Destination VM instance Ipv6 address<IPv6 address>
[dest_host]Destination host name<string>, included when FQDN is on
[dest_subs_id]Destination Subscription ID<string>
[dest_subs_name]Destination Subscription Name<string>
[dest_vm_name]Destination VM name<string>
[dest_nsg_name]Destination NSG name<string>
[dest_vnet_name]Destination Virtual Network name<string>
[dest_subnetwork_name]Destination Subnet name<string>
[dest_region]Destination Region<string>
[dest_res_grp_name]Destination Resource Group Name<string>
dest_portDestination port number<number>
packets_inTotal number of packets in the consolidated flows from the source to the destination<number>
bytes_inTotal number of Layer 3 bytes in the packets of the consolidated flows from the source to the destination<number>
packets_outTotal number of packets in the consolidated flows from the destination to the source<number>
bytes_outTotal number of Layer 3 bytes in the packets of the consolidated flows from the destination to the source<number>
flow_countNumber of consolidated flows<number>
percent_of_totalPercent of Total (bytes)<decimal>, e.g. 25.444% is 25.444
flow_start_timeStart time of the first consolidated flow<time>
flow_end_timeEnd of the last consolidated flow<time>
t_intObservation time interval, msec<number>