iCompaas Support

Description:

Virtual Network Flow Logs provide detailed information about the network traffic that flows through Network Security Groups (NSGs) or Azure Firewall associated with your Virtual Networks (VNets). Capturing these logs and sending them to Log Analytics allows you to analyze and monitor network traffic patterns, detect potential security threats, and troubleshoot network issues.

By ensuring that Virtual Network Flow Logs are captured and sent to Log Analytics, you can leverage Azure Monitor to query and analyze the flow logs, identify security risks, and maintain compliance with network security policies.

Rationale:

Capturing Virtual Network Flow Logs and sending them to Log Analytics enables:

• Traffic analysis: Monitor incoming and outgoing traffic on your VNet and identify unusual patterns.
  

• Security monitoring: Detect potential security threats such as unauthorized access or unusual network traffic.
  

• Compliance and auditing: Maintain logs for auditing and compliance purposes, ensuring network traffic aligns with security policies.
  

• Troubleshooting: Quickly identify and resolve network connectivity issues.
  

Impact:

Enabling Virtual Network Flow Logs and sending them to Log Analytics will increase your visibility into network activity and improve security monitoring. However, this will generate additional log data that will increase storage costs depending on the volume and retention policies. It is important to manage log retention and optimize queries to balance performance and cost.

Default Value:

By default, Virtual Network Flow Logs are not enabled. You need to manually configure Network Watcher to capture flow logs and send them to Log Analytics.

Pre-requisites:

• Azure subscription with Network Watcher enabled.
  

• Owner or Contributor role permissions to configure diagnostic settings.
  

• Log Analytics workspace set up to store and query the logs.
  

• Network Security Groups (NSGs) or Azure Firewall configured for the Virtual Network (VNet).
  

Audit:

1. Sign in to Azure portal as an Owner or Contributor.
   

2. Navigate to Azure Monitor and verify that the Virtual Network Flow Logs are being captured and sent to Log Analytics.
   

3. Ensure that Network Watcher is configured to send the logs to the correct Log Analytics workspace.
   

Implementation Steps (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Network Watcher:
   

   • In the Azure portal, search for Network Watcher and select it from the search results.
     

3. Enable Network Watcher in the Region:
   

   • If Network Watcher is not already enabled in the region where your Virtual Network resides, click + Enable Network Watcher and select the region.
     

   • Network Watcher must be enabled in each region where you want to monitor network traffic.
     

4. Navigate to Flow Logs:
   

   • In Network Watcher, go to Flow logs under the Monitoring section.
     

   • Click + Add to configure a new flow log.
     

5. Configure Flow Logs:
   

   • Select the Virtual Network and Network Security Group (NSG) or Azure Firewall for which you want to capture flow logs.
     

   • Choose the Log Analytics workspace where you want the logs to be sent.
     

   • Set the retention period for the logs (you can specify how long you want to keep the logs in the Log Analytics workspace).
     

6. Configure Flow Log Settings:
   

   • Set the Flow log format to either JSON or Text.
     

   • Enable Traffic analytics (optional) to gain deeper insights into the flow log data.
     

   • Enable Log analytics workspace and select the appropriate workspace where you want the flow logs to be sent.
     

7. Review and Create the Diagnostic Setting:
   

   • Review the settings you have configured.
     

   • Click Create to enable Virtual Network Flow Logs and start sending the logs to the selected Log Analytics workspace.
     

8. Verify Flow Log Collection:
   

   • After configuring the flow logs, verify that logs are being captured by generating traffic or events within your Virtual Network (e.g., connect to resources, simulate traffic).
     

   • In Log Analytics, query the flow logs to confirm the logs are being captured.
     

9. Set Up Alerts (Optional):
   

   • You can set up alerts in Azure Monitor based on specific network traffic patterns or anomalies detected in the flow logs.
     

   • In Azure Monitor, go to Alerts and create a new alert rule based on the Network Watcher or Log Analytics data.
     

   • Configure the conditions for the alert (e.g., unusual network traffic, denied connections) and define the action group for notification.
     

10. Monitor Logs and Review:
    

    • Use Azure Monitor to regularly review the Virtual Network Flow Logs captured in Log Analytics.
      

    • Create custom dashboards or use pre-built templates in Log Analytics to visualize traffic patterns, security issues, and network performance.
      

Backout Plan (Manual):

1. Sign in to Azure portal:
   

   • Use an account with Owner or Contributor permissions.
     

2. Navigate to Network Watcher:
   

   • Go to Network Watcher in the Azure portal.
     

3. Disable Flow Logs:
   

   • In Flow logs, locate the Virtual Network and Network Security Group (NSG) or Azure Firewall for which the flow logs are configured.
     

   • Click Disable flow logs to stop capturing and sending logs to the Log Analytics workspace.
     

4. Verify Log Collection Stopped:
   

   • After disabling flow logs, check the Log Analytics workspace to ensure that no further logs are being captured or sent.
     

5. Test the Reverted Configuration:
   

   • Trigger an action (e.g., a sign-in or policy change) and verify that no logs are being captured or sent to Log Analytics.
     

References:

• Network Watcher - Flow Logs Documentation
  

• Azure Monitor - Diagnostic Settings Overview
  Log Analytics Overview