Azure VNET Flow Log IEs
NetObserv Flow supports the following AWS VPC Flow Log information elements (IE).
| Azure field | Flow record field | Description |
|---|---|---|
| N/A | flow.export.type | Indicates that the flow came from an Azure VNet Flow Log. Value is always azure_vnet_flow_log |
| time | flow.export.timestamp | Time in UTC when the event was logged. |
| macAddress | flow.out.netif.mac | MAC address of the network interface where the event was captured. |
| flowLogGUID | azure.flowlog.resource.guid | Resource GUID of the FlowLog resource. |
| flowLogResourceID | azure.flowlog.resource.id | Resource ID of the FlowLog resource. |
| targetResourceID | azure.flowlog.target.resource.id | Resource ID of the target resource that's associated with the FlowLog resource. |
| flowLogVersion | azure.flowlog.version.ver | Version of the flow log. |
| category | azure.category.name | Category of the event. The category is always FlowLogFlowEvent. |
| operationName | azure.operation.name | Always FlowLogFlowEvent. |
| flowRecords → flows → aclID | azure.acl.id | Identifier of the resource that's evaluating traffic, either a network security group or Virtual Network Manager. For traffic that's denied because of encryption, this value is unspecified. |
| flowRecords→ flows → flowGroups → rule | sec.rule.name | Name of the rule that allowed or denied the traffic. For traffic that's denied because of encryption, this value is unspecified. |
| flowRecords→ flows → flowGroups → flowTuples → Time stamp | flow.start.timestamp | Time stamp of when the flow occurred. |
| flowRecords→ flows → flowGroups → flowTuples → Time stamp | flow.collect.timestamp | Time stamp of when the flow occurred. |
| flowRecords→ flows → flowGroups → flowTuples → Flow direction | flow.direction.name | Direction of the traffic flow. Valid values are Ingress and Egress. |
| flowRecords→ flows → flowGroups → flowTuples → Source IP | flow.src.ip.addr | Source IP address. |
| flowRecords→ flows → flowGroups → flowTuples → Source port | flow.src.l4.port | Source port. |
| flowRecords→ flows → flowGroups → flowTuples → Destination IP | flow.dst.ip.addr | Destination IP address. |
| flowRecords→ flows → flowGroups → flowTuples → Destination port | flow.dst.l4.port | Destination port. |
| flowRecords→ flows → flowGroups → flowTuples → Packets sent | flow.out.packets | Total number of packets sent from the source to the destination since the last update. |
| flowRecords→ flows → flowGroups → flowTuples → Bytes sent | flow.out.bytes | Total number of packet bytes sent from the source to the destination since the last update. Packet bytes include the packet header and payload. |
| flowRecords→ flows → flowGroups → flowTuples → Packets received | flow.in.packets | otal number of packets sent from the destination to the source since the last update. |
| flowRecords→ flows → flowGroups → flowTuples → Bytes received | flow.in.bytes | Total number of packet bytes sent from the destination to the source since the last update. Packet bytes include the packet header and payload. |
| flowRecords→ flows → flowGroups → flowTuples → Protocol | l4.proto | Layer 4 protocol of the flow, expressed in IANA assigned values. |
| flowRecords→ flows → flowGroups → flowTuples → Flow State | azure.flow.state | State of the flow. Possible states are begin, continuing, end, and deny. |
| flowRecords→ flows → flowGroups → flowTuples → Flow Encryption | azure.flow.encrypt | Encryption state of the flow. Possible states are encrypted, unencrypted, hardware_not_supported, software_not_ready, not_accepted, not_supported, local_dest, and fallback |