azureazure-virtual-networkazure-log-analyticsazure-diagnosticsazure-nsg

Difference between Azure NetworkSecurityGroupEvents and NetworkSecurityGroupFlowEvents?


I am working on setting up logging and monitoring for the azure NSG but there are 2 places NSG logs being generated and not sure the difference between the two and which logs give more useful insight which i can store in storage account for later analysis

  1. Using azure network watcher setting up NSG Flow Logs to store logs of category : NetworkSecurityGroupFlowEvent in Storage account
  2. Using Diagnostic Setting in NSG resource and enabling all log category : NetworkSecurityGroupEvents , NetworkSecurityGroupCounters ?

Question what if the difference between 3 t (ie NSG Flow Log, NSG Events, NSG Rule Counter) and which one store for dash boarding and alerting purpose for security ?

Reference :


Solution

  • #1
    "Network security group (NSG) flow logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. Flow data is sent to Azure Storage accounts from where you can access it as well as export it to any visualization tool, SIEM, or IDS of your choice." https://learn.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-overview#introduction

    "Flow logs are the source of truth for all network activity in your cloud environment."
    "Flow logs operate at Layer 4 and record all IP flows going in and out of an NSG."
    Each log record contain 5-tuple information traffic decision, and throughput information, e.g. source IP, source port, destination IP, destination port, etc.
    "Logs are collected at 1-min interval".

    #2
    "When you enable logging for an NSG, you can gather the following types of resource log information:

    https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log

    As you now understand the difference between the 3 logs, then you can decide for yourself which logs to use. There is no right answer, it is really up to what you want to see and do with the logs.

    Resource logging is enabled separately for each NSG you want to collect diagnostic data for.
    If you're interested in IP traffic flowing through NSGs use the Azure Network Watcher NSG Flow logs.

    The source IP address for the communication is not logged. You can enable NSG flow logging for an NSG, however, which logs all of the rule counter information, as well as the source IP address that initiated the communication. NSG flow log data is written to an Azure Storage account.