Azure Network Watcher: Blob storage path update for NSG flow logs
Published date: July 14, 2017
On Monday, July 31, 2017, the Azure Network Watcher team will begin rolling out a change to the blob format used for saving Network Security Group (NSG) flow logs to Azure Blob storage. This change is based on requests to increase the granularity for NSG flow logs. It does not affect the JSON schema for flow logs.
The new path format will include the network interface MAC address in the blob path. Although the format of NSG flow logs will not change, blobs will then contain only NSG logs for the network interface referenced in the MAC address by path. This enables you to selectively sort, filter, and process flow logs by MAC address.
Current path format:
“/insights-logsnetworksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RES OURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYG ROUPS/AUDITNSG/y={year}/m={month}/d={day}/h={hour}/m=00/PT1H.json”
Sample of current path format:
“/insights-logsnetworksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/00000000-0000-0000- 0000-000000000000/RESOURCEGROUPS/ContosoRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSEC URITYGROUPS/AUDITNSG/y=2017/m=07/d=12/h=02/m=00/PT1H.json”
Updated path format:
“/insights-logsnetworksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RES OURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYG ROUPS/AUDITNSG/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json”
Sample of updated path format:
“/insights-logsnetworksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/00000000-0000-0000- 0000- 000000000000/RESOURCEGROUPS/ContosoRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKSEC URITYGROUPS/AUDITNSG/y=2017/m=07/d=31/h=02/m=00/macAddress=00125A011101/PT1H .json”
When this change takes effect, the NSGs that you have enabled for flow logs will begin writing flow logs by using the updated path format. This change will not affect your NSG flows being written to storage. Please ensure that any of your integrations or applications that use NSG flow logs comply with the updated blob path format. If you have any questions or concerns, contact AzureNetworkWatcher@microsoft.com.