azure-nsgflow-logs
Download NSG flow logs for a specified time range from Azure storage account.
azure-nsgflow-logs [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- profile=PROFILE
- Azure NSG Flow connect profile code
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Event time | |
| profile | String | Connect profile | Azure NSG Flow connect profile code. |
| cloud_resource_group | String | Cloud resource group | NSG resource group |
| cloud_resource_name | String | Cloud resource name | NSG resource name |
| direction | String | Direction | e.g. outbound, inbound, lateral |
| src_ip | IP address | Source IP | |
| src_port | Integer | Source port | |
| dst_ip | IP address | Destination IP | |
| dst_port | Integer | Destination port | |
| protocol | String | Protocol | e.g. TCP, UDP |
| policy | String | Policy | NSG security rule name |
| action | String | Action | e.g. PERMIT, DENY |
| state | String | State | e.g. start, end, continue |
| total_bytes | Long | Total bytes | Sum of sent_bytes and rcvd_bytes. |
| sent_bytes | Long | Sent bytes | Bytes from client to server. |
| rcvd_bytes | Long | Received bytes | Bytes from server to client. |
| total_pkts | Long | Total packets | Sum of sent_pkts and rcvd_pkts. |
| sent_pkts | Long | Sent packets | Packets from client to server. |
| rcvd_pkts | Long | Received packets | Packets from server to client. |
| cloud_resource | String | Cloud resource | Full qualified Azure resource name |
| blob_path | String | Blob path | Origin blob |