Microsoft Azure flow logs¶
Once flow log ingestion for Azure-based resources has been enabled, Plixer Scrutinizer can monitor and run reports on traffic traversing assets in the cloud.
Once flow data for network resources on Azure is being received, the following additional report types can be run:
Flow Decisions |
Aggregation based on decision (accept or deny) applied to traffic via configured rules |
Flow Decisions Count |
Flow count aggregation for each traffic decision |
Flow States |
Aggregation based on distinct states reported for individual network flows |
Flow States Count |
Flow count aggregation for each network flow state |
All Details |
Aggregation based on full range of flow details, including the rule and application associated with the traffic |
Resource IDs |
Aggregation based on resource IDs |
This section covers the prerequisites and setup/configuration steps for Azure flow log ingestion.
Note
Plixer Scrutinizer supports both VNet and NSG flow logs on Azure.
Setting up the Azure blob storage container
Before setting up Azure flow log ingestion in Plixer Scrutinizer, the Azure Storage blob container(s) that will be used should be configured as follows:
Set the virtual networks to be monitored to send flow logs to the container. Both version 1 and version 2 flow logs are supported, but the latter format is recommended to enable volume-based reports.
The container should be reserved for exclusive use by Plixer Scrutinizer. If the flow logs need to be archived or used for other purposes, send the flow logs to a separate blob container, and then automate the replication/duplication of those logs to the container that will be used by Plixer Scrutinizer.
Versioning should be disabled.
Note
Once a blob container is configured as a flow log source, Plixer Scrutinizer will regularly collect the most recent 15 minutes of logs and delete all inactive log files (i.e., not updated in the past ~1 hour). If any historical data needs to be retained, it should be copied off the container before the integration is configured. Manually clearing the container of inactive log files will also allow Plixer Scrutinizer to become current more quickly.
Configuring Azure flow log ingestion in Plixer Scrutinizer
To add an Azure Storage blob container as a flow log source in Plixer Scrutinizer, follow these steps:
Navigate to Admin > Integrations > Flow Log Ingestion in the web interface.
Click the + icon, and then select Azure FlowLogs in the tray.
In the secondary tray, configure the container details as follows:
Enter a name to identify the bucket/source by.
Enter the container name:
For NSG flow logs, this will typically follow the format of
insights-logs-networksecuritygroupfloweventFor VNet flow logs, this will typically follow the format of
insights-logs-flowlogflowevent
Select the collector(s) to assign to the container from the dropdown (the primary reporter of a distributed cluster is not recommended).
Enter the storage account name and key to use to access the container (in most cases, the service URL host name without
.blob.core.windows.net/or another domain)Enter the service URL for the container (in most cases, formatted as
https://STORAGE-ACCOUNT-NAME.blob.core.windows.net/).
Click the Save button to add the container with the current settings.
Once added, the container will be listed in the main Admin > Integrations > Flow Log Ingestion view under the configured name. An exporter associated with the Azure virtual network will also be added to the device lists for Plixer Scrutinizer’s various functions (Flow Analytics, network maps, reports, etc.).
Note
After a container configuration has been saved, click on the name assigned to it in the main view to open the settings tray, and use the Test button to confirm that Plixer Scrutinizer is able to establish a connection to the container with the credentials entered.
To verify that the Azure flow log source has been successfully added, look for an exporter whose hostname matches the virtual network in the Explore > Exporters > By Exporters view or the Admin > Resources > Exporters page (after ~1 hour).
For assistance with any issues, consult the troubleshooting guide or contact Plixer Technical Support.