0

I cannot find corresponding NSG flow logs for the action that I manually triggered. NSG Flow Logs are enabled and configured in the Azure portal under Network Watcher -> NSG Flow Logs. Only default rules are used for outbound NSG.

Here is what I am trying to do and I am expecting flow logs to show up after few (4) minutes but they don't.

1) Call API at the Application Gateway @https://api.aspnet4you.com/api/customer/FindAllCustomers?country=United%20States&state=Washington&city=Seattle

2) Query to find app gateway access logs and they show up in about 3 minutes: 

AzureDiagnostics 
| where TimeGenerated >= now(-15m) 
| where clientIP_s !="" 
| where Category == "ApplicationGatewayAccessLog"

3) Query NSG Flow logs but NO Result Found! 

AzureNetworkAnalytics_CL 
| where TimeGenerated >= now(-15m) 
| where SubType_s == "FlowLog" 
| extend dir = FlowDirection_s 
| extend status = FlowStatus_s 
| extend src = SrcIP_s 
| extend dest = DestIP_s 
| extend pubip=PublicIPs_s 
| extend cty = Country_s 
| project TimeGenerated, FlowType_s,status, dir , DestPort_d, cty, pubip , src ,dest, L7Protocol_s, NSGRules_s

4) Checked the configured storage account blobs and I can see flow logs there and those logs are generated in last 15 minutes.

Why do the NSG flow logs not show up while app gateway access logs are showing just fine when I query logs in Azure Monitor (portal)?

Reference Architecture: https://blogs.aspnet4you.com/wp-content/uploads/2019/01/app-reference-architectures-v2.png

Rick Rainey
  • 11,096
  • 4
  • 30
  • 48
Prodip
  • 436
  • 8
  • 21
  • 1
    Did you enable Traffic Analytics in your Flow Log Settings? – Rick Rainey Jan 16 '19 at 19:23
  • Yep, Traffic Analytics is enabled. [link](https://blogs.aspnet4you.com/wp-content/uploads/2019/01/nsg-flow-enabled.jpg). – Prodip Jan 17 '19 at 02:52
  • 1
    This seems to be specific to NSG Flow Logs in AKS. I tried this using just a single VM and it worked as expected (within about 15 mins). I tried it in an AKS environment (like yours) and was able to reproduce the problem. This morning, I reran the query in Log Analytics and the data was there. Anyway, not sure why it took so long but it does appear to be working for me this morning. Can you try again and see if yours is working? – Rick Rainey Jan 18 '19 at 14:44
  • 1
    @Rick Rainey- Thank you so much for going extra mile to reproduce the problem. It works subsequently but it worries me on the reliability! I will try again. In the meantime, I reached out to Microsoft through informal channel on the problem. Will let you know my findings as I come to know. – Prodip Jan 20 '19 at 19:06
  • The official answer I got from Microsoft is: “Traffic Analytics processes the logs written to storage on an hourly basis. There is work going on to reduce this time. Native emission to Log Analytics and Event Hubs to bring parity with other diagnostic logs provided through Azure monitor is on our roadmap.” -- This answer reflects the logs in am seeing in AzureNetworkAnalytics_CL, not that I liked the answer! On the optimistic side, you can get the flow logs from storage account and it's near real-time. @RickRainey- Thanks for the help. – Prodip Feb 06 '19 at 05:23

0 Answers0