Monitor Azure NSG Flow Logs with vRealize Log Insight Cloud

 What is Azure NSG?

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. For more details, you can refer to the documentation

Monitoring NSG flow logs are critical from a security perspective, especially in Public Clouds like Azure. vRealize LogInsight Cloud supports a number of Log Sources including Azure as well.

Once the logs are flowing you can create a Dashboard to visualize your Azure environment like the below sample dashboard

PRE-REQUISITES

In order to collect NSG logs, you will need following 

1. Blob Storage – It is an object storage solution for the Azure cloud. We will be using it to save the NSG flow logs. You can use an existing account however I will be demonstrating how to create one as well. 
2. Azure Network Watcher  – It provides tools to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. We will be using the NSG flow logs feature of the Azure Network Watcher service that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can forward to external tools like vRealize Log Insight Cloud. 
3. vRLI Cloud Function – It is Custom ARM Template that will be deployed to fetch logs from Blob Storage and forward it to vRealize Log Insight Cloud. I will be demonstrating how to deploy this as part of this blog.

PROCEDURE

The following section includes step by step instructions to enable log forwarding of Azure NSG logs to vRealize Log Insight Cloud

Step 1 – Generate vRealize LogInsight Cloud API Key from here

Step 2 – Create Blob Storage & vRealize Log Insight Cloud Function

Log in to vRealize Log Insight Cloud, Navigate to Log Sources –> Azure –> Blob Storage –> Create a Blob Storage & Click Deploy to Azure 

Provide Basic details such as Subscription, Resource Groups, API_URL, API_Token 

Step 3 – Configure Diagnostic Settings for Function App

This will save the logs for the Function in the Blob Storage and forward them to vRealize Log Insight Cloud. 

Navigate to the Diagnostics Settings section under the monitoring tab of vRealize Log Insight Cloud Function (Name should start with \”VMwareLogsFunction\”) & Click Add Diagnostic Settings.

Provide basic details like Type of Logs, Retention Period and Select the Storage Account(Name should start with vmware)

Step 4 – Azure Blob Storage Trigger to fetch logs from Blob Storage 

The Blob storage trigger starts a vRealize Log Insight Cloud function when a new or updated blob is detected. 

Navigate to the Functions section under the Functions tab of vRealize Log Insight Cloud Function (Name should start with \”VMwareLogsFunction\”) & Click blobStorageFunction

Click the Integration tab under the Developer section and then click Azure Blob Storage Trigger to edit the trigger details

Step 5 – Configure NSG flow logs 

Navigate to the NSG flow logs section under Logs of Network Watcher Service (In my case the NSG name is MMTest-nsg) and Click the NSG for which you want to modify the settings. 

Perform following changes

• Change Status to ON
• Change Flow Logs Version  to Version 2
• Select the Storage Account where you want the logs to be saved (Name should start with vmware). If you are using a v2 Storage Account you will specify Retention Days

Step 6 Verify Logs in vRealize LogInsight Cloud

If everything is successful you can search for logs using 

You should be able to create a Dashboard to visualize your Azure environment like the below sample dashboard or you can create alerts to get notified whenever a suspicious activity happens.