I am working on setting up logging and monitoring for the azure NSG but there are 2 places NSG logs being generated and not sure the difference between the two and which logs give more useful insight which i can store in storage account for later analysis
Question what if the difference between 3 t (ie NSG Flow Log, NSG Events, NSG Rule Counter) and which one store for dash boarding and alerting purpose for security ?
Reference :
#1
"Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice."
https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#introduction
"Flow logs are the source of truth for all network activity in your cloud environment."
"Flow logs operate at Layer 4 and record all IP flows going in and out of an NSG."
Each log record contain 5-tuple information traffic decision, and throughput information, e.g. source IP, source port, destination IP, destination port, etc.
"Logs are collected at 1-min interval".
#2
"When you enable logging for an NSG, you can gather the following types of resource log information:
Event - NetworkSecurityGroupEvents
: Entries are logged for which NSG rules are applied to VMs, based on MAC address. The event log contains information about which NSG rules are applied to VMs, based on MAC address. The following data is logged for each event.Rule counter - NetworkSecurityGroupCounters
: Contains entries for how many times each NSG rule is applied to deny or allow traffic. The status for these rules is collected every 300 seconds. The rule counter log contains information about each rule applied to resources."https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log
As you now understand the difference between the 3 logs, then you can decide for yourself which logs to use. There is no right answer, it is really up to what you want to see and do with the logs.
Resource logging
is enabled separately for each NSG you want to collect diagnostic data for.
If you're interested in IP traffic flowing through NSGs use the Azure Network Watcher NSG Flow logs
.
The source IP address for the communication is not logged. You can enable NSG flow logging for an NSG, however, which logs all of the rule counter information, as well as the source IP address that initiated the communication. NSG flow log data is written to an Azure Storage account
.