Flow Logs - Create Or Update

Create or update a flow log for the specified network security group.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/flowLogs/{flowLogName}?api-version=2024-05-01

URI Parameters

Name In Required Type Description
flowLogName
path True

string

The name of the flow log.

networkWatcherName
path True

string

The name of the network watcher.

resourceGroupName
path True

string

The name of the resource group.

subscriptionId
path True

string

The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

api-version
query True

string

Client API version.

Request Body

Name Required Type Description
properties.storageId True

string

ID of the storage account which is used to store the flow log.

properties.targetResourceId True

string

ID of network security group to which flow log will be applied.

id

string

Resource ID.

identity

ManagedServiceIdentity

FlowLog resource Managed Identity

location

string

Resource location.

properties.enabled

boolean

Flag to enable/disable flow logging.

properties.enabledFilteringCriteria

string

Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged.

properties.flowAnalyticsConfiguration

TrafficAnalyticsProperties

Parameters that define the configuration of traffic analytics.

properties.format

FlowLogFormatParameters

Parameters that define the flow log format.

properties.retentionPolicy

RetentionPolicyParameters

Parameters that define the retention policy for flow log.

tags

object

Resource tags.

Responses

Name Type Description
200 OK

FlowLog

Update successful. The operation returns the resulting flow log resource.

201 Created

FlowLog

Request successful. The operation returns the resulting flow log resource.

Other Status Codes

ErrorResponse

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or update flow log

Sample request

PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/flowLogs/fl?api-version=2024-05-01

{
  "location": "centraluseuap",
  "properties": {
    "targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
    "storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "enabled": true,
    "format": {
      "type": "JSON",
      "version": 1
    }
  },
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {}
    }
  }
}

Sample response

{
  "name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
  "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
  "properties": {
    "provisioningState": "Updating",
    "targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
    "targetResourceGuid": "00000000-0000-0000-0000-000000000000",
    "storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "enabled": true,
    "flowAnalyticsConfiguration": {},
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    },
    "format": {
      "type": "JSON",
      "version": 1
    }
  },
  "type": "Microsoft.Network/networkWatchers/FlowLogs",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
        "clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
        "principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
      }
    }
  },
  "location": "centraluseuap"
}
{
  "name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
  "id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
  "etag": "W/\"00000000-0000-0000-0000-000000000000\"",
  "properties": {
    "provisioningState": "Succeeded",
    "targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
    "targetResourceGuid": "00000000-0000-0000-0000-000000000000",
    "storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
    "enabledFilteringCriteria": "srcIP=158.255.7.8 || dstPort=56891",
    "enabled": true,
    "flowAnalyticsConfiguration": {},
    "retentionPolicy": {
      "days": 0,
      "enabled": false
    },
    "format": {
      "type": "JSON",
      "version": 1
    }
  },
  "type": "Microsoft.Network/networkWatchers/FlowLogs",
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
        "clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
        "principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
      }
    }
  },
  "location": "centraluseuap"
}

Definitions

Name Description
ErrorDetails

Common error details representation.

ErrorResponse

The error object.

FlowLog

A flow log resource.

FlowLogFormatParameters

Parameters that define the flow log format.

FlowLogFormatType

The file type of flow log.

ManagedServiceIdentity

Identity for the resource.

ProvisioningState

The current provisioning state.

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

RetentionPolicyParameters

Parameters that define the retention policy for flow log.

TrafficAnalyticsConfigurationProperties

Parameters that define the configuration of traffic analytics.

TrafficAnalyticsProperties

Parameters that define the configuration of traffic analytics.

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

ErrorDetails

Common error details representation.

Name Type Description
code

string

Error code.

message

string

Error message.

target

string

Error target.

ErrorResponse

The error object.

Name Type Description
error

ErrorDetails

Error
The error details object.

FlowLog

A flow log resource.

Name Type Description
etag

string

A unique read-only string that changes whenever the resource is updated.

id

string

Resource ID.

identity

ManagedServiceIdentity

FlowLog resource Managed Identity

location

string

Resource location.

name

string

Resource name.

properties.enabled

boolean

Flag to enable/disable flow logging.

properties.enabledFilteringCriteria

string

Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged.

properties.flowAnalyticsConfiguration

TrafficAnalyticsProperties

Parameters that define the configuration of traffic analytics.

properties.format

FlowLogFormatParameters

Parameters that define the flow log format.

properties.provisioningState

ProvisioningState

The provisioning state of the flow log.

properties.retentionPolicy

RetentionPolicyParameters

Parameters that define the retention policy for flow log.

properties.storageId

string

ID of the storage account which is used to store the flow log.

properties.targetResourceGuid

string

Guid of network security group to which flow log will be applied.

properties.targetResourceId

string

ID of network security group to which flow log will be applied.

tags

object

Resource tags.

type

string

Resource type.

FlowLogFormatParameters

Parameters that define the flow log format.

Name Type Default value Description
type

FlowLogFormatType

The file type of flow log.

version

integer

0

The version (revision) of the flow log.

FlowLogFormatType

The file type of flow log.

Name Type Description
JSON

string

ManagedServiceIdentity

Identity for the resource.

Name Type Description
principalId

string

The principal id of the system assigned identity. This property will only be provided for a system assigned identity.

tenantId

string

The tenant id of the system assigned identity. This property will only be provided for a system assigned identity.

type

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

userAssignedIdentities

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

ProvisioningState

The current provisioning state.

Name Type Description
Deleting

string

Failed

string

Succeeded

string

Updating

string

ResourceIdentityType

The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.

Name Type Description
None

string

SystemAssigned

string

SystemAssigned, UserAssigned

string

UserAssigned

string

RetentionPolicyParameters

Parameters that define the retention policy for flow log.

Name Type Default value Description
days

integer

0

Number of days to retain flow log records.

enabled

boolean

False

Flag to enable/disable retention.

TrafficAnalyticsConfigurationProperties

Parameters that define the configuration of traffic analytics.

Name Type Description
enabled

boolean

Flag to enable/disable traffic analytics.

trafficAnalyticsInterval

integer

The interval in minutes which would decide how frequently TA service should do flow analytics.

workspaceId

string

The resource guid of the attached workspace.

workspaceRegion

string

The location of the attached workspace.

workspaceResourceId

string

Resource Id of the attached workspace.

TrafficAnalyticsProperties

Parameters that define the configuration of traffic analytics.

Name Type Description
networkWatcherFlowAnalyticsConfiguration

TrafficAnalyticsConfigurationProperties

Parameters that define the configuration of traffic analytics.

UserAssignedIdentities

The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.

Name Type Description