Azure NSG flow logsΒΆ

With Azure NSG flow log ingestion enabled, Plixer Scrutinizer can monitor and run reports on IP traffic traversing an NSG.

Once NSG flow data is being received, the following additional report types can be run:

  • Flow Decisions

  • Flow Decisions Count

  • Flow States

  • Flow States Count

  • NSG All Details

  • Resource IDs

Setting up Azure Blob Storage

Before configuring NSG flow log ingestion in Plixer Scrutinizer, one or more blob containers under an Azure Storage account must be configured as follows:

  • The container(s) should have versioning disabled and be reserved for exclusive use by Plixer Scrutinizer.

  • The NSG(s) to be monitored should be set to send flow logs to the containers(s) to be used.

Hint

Both version 1 and version 2 flow log formats are compatible with Plixer Scrutinizer, but version 2 is recommended to enable volume-based Reports.

  • To save time, containers with a large backlog of flow log files can be cleared before they are added to Plixer Scrutinizer. This can be skipped to preserve the most recent 15 minutes of logs in the container(s).

Configuring NSG flow log ingestion

To add an Azure blob container as a flow log ingestion source in Plixer Scrutinizer, follow these steps:

  1. Navigate to Admin > Integrations > Flow Log Ingestion in the web interface.

  2. Click the + button and select Azure NSG FlowLogs

  3. In the secodary tray, fill in the fields with the following details:

    • A name to identify the container/source

    Note

    The Azure storage account name can be used in the Name field to make it easier to distinguish between flow log sources.

    • Container name (in most cases, insights-logs-networksecuritygroupflowevent)

    • The Collector to assign to the container (dropdown)

    • Azure storage account name

    • Azure account key to use to access the container

    • Service URL for the container

  4. Verify that the details entered are correct and then click the Save button to save the configuration.

Once added, the container will be listed in the main Admin > Integrations > Flow Log Ingestion view using the configured name. Clicking a source name in this view will open a configuration tray, where its settings can be edited.

Plixer Scrutinizer will continuously monitor the container to collect new logs and delete files that have been ingested.

Hint

To access bulk actions/operations in the main view, select one or more sources using the checkboxes and click the Bulk Actions button.

Note

After a container is first added, the most recent 15 minutes of logs are collected, and any log files that were not updated in the last hour are deleted. Plixer Scrutinizer will then continue to collect and delete log files as normal.

For assistance with any issues, consult the troubleshooting guide or contact Plixer Technical Support.