NSG Flow Logs

NSG Flow Logs

The current process for exporting your Azure NSG Flow logs to RunReveal involves 3 steps.

  1. NSG Flow Logs export to a Storage Account.
  2. A Blob Created event is triggered and adds a message to a Storage Queue located in the same Storage Account.
  3. RunReveal will once a minute, process the events in the Queue and start to read the storage object that was created.

In order to setup this format you will need to create the following pieces in Azure:

  1. Add a new App Registration to your Entra account
  2. Create a new Client Secret for this new app
  3. Create a new Storage Account
  4. Create an Event to notify on Blob Created event types and forward the notification to a Storage Queue
  5. Provide access to the created app to read blob objects and process storage queue messages
  6. Setup NSG Flow to forward logs to the created Storage Account

For steps 3-5 RunReveal provides an Azure Deploy Template that can be used to simplify setup.

App Registration

The first step is to create a new App Registration. Navigate to the Microsoft Entra ID (opens in a new tab) service and choose Add -> App Registration.

Give the app a name and fill in the remaining settings for your organization. Once done click Register.

You should now be presented with the details of the new app. Copy and save the Application (client) ID and the Directory (tenant) ID as these will be needed when setting up the RunReveal source. If you plan to use the provided deploy template click on the link for the Managed application in local directory, this will open a properties page where you will need to copy the listed Object ID.

App Secret

Once the app has been registered you will need to create a client secret to provide to RunReveal for access. Back on the main app registration page under the Manage category click on 'Certificates & secrets'. From this screen click on the 'Client secrets' option and select New client secret. Give the secret a name and choose an expiration date. Once created copy the secret value and save it for later, this is needed when creating the source in RunReveal.

client secret

Set a reminder for the expiration date of this secret. You will need to generate a new secret and update your RunReveal source before the expiration date to make sure RunReveal continues to have access.

Storage Account Setup

The easiest way to setup your storage account is to use our deployment template. This will automatically setup the storage account, the object notifications, and provide the correct permissions for the created app.

Deployment Template

Deploy to Azure (opens in a new tab)

Click on the to Azure button to load the template in the Azure portal. From there choose your Subscription and Resource group where this storage account should reside. The storage account location needs to be the same as the NSG resource that flow logs are being stored for. Give the storage account a name and paste the App's Object ID that was copied earlier. Wait for the deployment to complete, and click on the Outputs menu item. This will list the storageAccountName and storageQueueName that were created by the template. These values will be needed when setting up the RunReveal source. You can now move on to setting up Azure log forwarding.


Azure displays multiple App object IDs, if the wrong one is used you may get a deployment error with the template. All of the resources will have been created but the IAM permissions will not have been set. You can manually apply the needed permissions to the storage account if this happens.

Manual Setup

If you already have logs being stored in a storage account or want to change other setup settings follow these steps.

Storage Account

Navigate to the Storage account (opens in a new tab) creation page and create a new storage account to store your log files. When creating a storage account the account location needs to be in the same region as the NSG resources.

Event Subscription

In your Storage Account resource, go to the Events menu and create a new Event Subscription.

Fill in the name fields for the subscription and system topic name and select Event Grid Schema as the event schema. Change the event types to only filter for Blob Created events. Select Storage Queue as your endpoint type and configure a new queue. For easiest setup, we recommend putting the storage queue in the same storage account. Make sure to take note of the name of the storage queue that was created as this will be needed in the RunReveal source.

event sub


Go to the access control (IAM) screen for your storage account and add a new Role assignment. You will need to add two separate roles the first being Storage Blob Data Reader and Storage Queue Data Message Processor. For both of these the member should be the App that was registered earlier.

Once access has been granted you are ready for the next step.

NSG Log Forwarding

With the storage account created you can now setup NSG flow logs to export to it.

On the Network Security Group (NSG) resource page select the Monitoring -> NSG flow logs menu item and click on the "Create flow log" button.

Select your Subscription this should reside in and your flow log type. Select all of the target resources that you want to capture logs for. Next select the storage account from the dropdown list that you created earlier and set a retention policy for the log files.

Click create and a new flow log setup will be created and logs should begin to save into your storage account momentarily.

RunReveal Source

Go to RunReveal and add a new source selecting NSG Flow Logs (opens in a new tab).

Give the source a name and fill in the remaining fields with the saved values from setup.

azure blob

You will need the values that were saved from the setup steps.

  • The app Tenant ID and Client ID from the app registration screen.
  • The Client Secret Value that was created when generating a new secret for the app.
  • The Storage Account Name where the logs are exporting to.
  • The Storage Queue Name that holds the blob created notifications.

Once these are supplied and saved, RunReveal will begin to process messages in the queue and then ingest logs stored in the bucket.