Azure Flow Logs (VNET)

Overview

NetObserv Flow can receive VNet flow logs from Microsoft Azure.

This input collects 'Virtual network flow logs' from Microsoft Azure Network Watcher. VNet flow logs provide information about IP traffic flowing through a virtual network. See Azure documentation for more information about their flow log feature.

The retrieval of VNet flow logs is event-based, meaning that NetObserv Flow will listen for an event from Azure Event Hub and will then retrieve and ingest all new flow logs since the last event.

• Azure setup guide (for setting configuring Azure to output flow logs)
• Notes about system resources for using Azure Flow Logs
• Supported information elements

Configuring NetObserv Flow to Recieve Azure Flow Logs

EF_AZURE_FLOW_LOG_VNET_ENABLE

This enables the feature.

• Valid Values
  • true, false
• Default Value
  • false

EF_AZURE_FLOW_LOG_VNET_CONFIG_FILE_PATH

The path to the config file for this feature. See below for more details.

• Default Value
  • "/etc/elastiflow/azure/flowlog_vnet.yml"

VNet Consumers Configuration File

Here is a minimal example of what this config file will look like

- tenantId: "App registration Directory ID"
  clientId: "App registration Application ID"
  clientSecret: "App registration client secret"
  consumers:
    - namespace: "Host name of the Event Hubs namespace"
      name: "Name of the Event Hub"
      consumerGroup: "$Default"

• tenantId - This is the "Directory (tenant) Id" displayed from the "Create an App registration" step of the setup guide. This is the tenant ID associated with your Azure subscription. More information
• clientId - This is the "Application (client) ID" displayed during that same step.
• clientSecret - This is the secret displayed from the "Add a Client Secret" step of the setup guide
• consumers: This is a list of consumer tuples. You must have at least one consumer with namespace and name defined; consumerGroup is optional and defaults to $Default.
  • namespace: This is the Event Hub Namespace created or configured during the "Create an Events Hub namespace" step of the setup guide. Namespace corresponds to a Kafka instance.
  • name: This is the Event Hub created or configured during the "Create an Event Hub" step of the setup guide. Name corresponds to a Kafka topic.
  • consumerGroup: This is the consumer group of the above name. The "Basic" tier of the Event Hub Namespace only allows a single $Default consumer group; the "Standard" tier allows multiple consumer groups. Create consumer groups if you want to run multiple independent instances of flowcoll (or other consumers of these events). If you're using the $Default group, you can omit this field, as $Default is its default value.