Merge pull request #304479 from halkazwini/nw-read

Stacyrch140 · web-flow · commit e25e8a3111be · 2025-08-20T15:57:26.000-04:00
Read flow logs updates
diff --git a/articles/network-watcher/flow-logs-read.md b/articles/network-watcher/flow-logs-read.md
@@ -6,10 +6,9 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: azure-network-watcher
 ms.topic: how-to
-ms.date: 09/26/2024
+ms.date: 08/20/2025
 ms.custom: devx-track-azurepowershell
 
-#CustomerIntent: As an Azure administrator, I want to read my flow logs using a PowerShell script so I can see the latest data.
 # Customer intent: As an Azure administrator, I want to efficiently read and analyze my Network Watcher flow logs using PowerShell scripts, so that I can quickly access and interpret network data without downloading entire log files.
 ---
 
@@ -29,39 +28,41 @@ The concepts discussed in this article aren't limited to the PowerShell and are
 
 - Flow logs in a region or more. For more information, see [Create network security group flow logs](nsg-flow-logs-manage.md#create-a-flow-log) or [Create virtual network flow logs](vnet-flow-logs-manage.md#create-a-flow-log).
 
-- Necessary RBAC permissions for the subscriptions of flow logs and storage account. For more information, see [Network Watcher RBAC permissions](required-rbac-permissions.md).
+- Necessary Azure role-based access control (Azure RBAC) permissions for the subscriptions of flow logs and storage account. For more information, see [Network Watcher RBAC permissions](required-rbac-permissions.md).
 
 ## Retrieve the blocklist
 
-# [**Network security group flow logs**](#tab/nsg)
+In this section, you set up the variables required to query the flow log blob and list the blocks within the [CloudBlockBlob](/dotnet/api/microsoft.azure.storage.blob.cloudblockblob) block blob.
+
+# [**Virtual network flow logs**](#tab/vnet)
 
-The following PowerShell script sets up the variables needed to query the network security group flow log blob and list the blocks within the [CloudBlockBlob](/dotnet/api/microsoft.azure.storage.blob.cloudblockblob) block blob. Update the script to contain valid values for your environment, specifically "yourSubscriptionId", "FLOWLOGSVALIDATIONWESTCENTRALUS", "V2VALIDATIONVM-NSG", "yourStorageAccountName", "ml-rg", "000D3AF87856", "11/11/2018 03:00". For example, yourSubscriptionId should be replaced with your subscription ID.
+Update the PowerShell script with valid values for your environment.
 
 ```powershell
-function Get-NSGFlowLogCloudBlockBlob {
+function Get-VNetFlowLogCloudBlockBlob {
     [CmdletBinding()]
     param (
         [string] [Parameter(Mandatory=$true)] $subscriptionId,
-        [string] [Parameter(Mandatory=$true)] $NSGResourceGroupName,
-        [string] [Parameter(Mandatory=$true)] $NSGName,
+        [string] [Parameter(Mandatory=$true)] $region,
+        [string] [Parameter(Mandatory=$true)] $VNetFlowLogName,
         [string] [Parameter(Mandatory=$true)] $storageAccountName,
         [string] [Parameter(Mandatory=$true)] $storageAccountResourceGroup,
         [string] [Parameter(Mandatory=$true)] $macAddress,
         [datetime] [Parameter(Mandatory=$true)] $logTime
     )
 
     process {
-        # Retrieve the primary storage account key to access the network security group logs
+        # Retrieve the primary storage account key to access the virtual network flow logs
         $StorageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccountResourceGroup -Name $storageAccountName).Value[0]
 
         # Setup a new storage context to be used to query the logs
-        $ctx = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $StorageAccountKey
+        $ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $StorageAccountKey
 
-        # Container name used by network security group flow logs
-        $ContainerName = "insights-logs-networksecuritygroupflowevent"
+        # Container name used by virtual network flow logs
+        $ContainerName = "insights-logs-flowlogflowevent"
 
-        # Name of the blob that contains the network security group flow log
-        $BlobName = "resourceId=/SUBSCRIPTIONS/${subscriptionId}/RESOURCEGROUPS/${NSGResourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/${NSGName}/y=$($logTime.Year)/m=$(($logTime).ToString("MM"))/d=$(($logTime).ToString("dd"))/h=$(($logTime).ToString("HH"))/m=00/macAddress=$($macAddress)/PT1H.json"
+        # Name of the blob that contains the virtual network flow log
+        $BlobName = "flowLogResourceID=/$($subscriptionId.ToUpper())_NETWORKWATCHERRG/NETWORKWATCHER_$($region.ToUpper())_$($VNetFlowLogName.ToUpper())/y=$($logTime.Year)/m=$(($logTime).ToString("MM"))/d=$(($logTime).ToString("dd"))/h=$(($logTime).ToString("HH"))/m=00/macAddress=$($macAddress)/PT1H.json"
 
         # Gets the storage blog
         $Blob = Get-AzStorageBlob -Context $ctx -Container $ContainerName -Blob $BlobName
@@ -74,7 +75,7 @@ function Get-NSGFlowLogCloudBlockBlob {
     }
 }
 
-function Get-NSGFlowLogBlockList  {
+function Get-VNetFlowLogBlockList  {
     [CmdletBinding()]
     param (
         [Microsoft.Azure.Storage.Blob.CloudBlockBlob] [Parameter(Mandatory=$true)] $CloudBlockBlob
@@ -88,41 +89,40 @@ function Get-NSGFlowLogBlockList  {
     }
 }
 
+$CloudBlockBlob = Get-VNetFlowLogCloudBlockBlob -subscriptionId "yourSubscriptionId" -region "yourVNetFlowLogRegion" -VNetFlowLogName "yourVNetFlowLogName" -storageAccountName "yourStorageAccountName" -storageAccountResourceGroup "yourStorageAccountRG" -macAddress "0022485D8CF8" -logTime "07/09/2023 03:00" 
 
-$CloudBlockBlob = Get-NSGFlowLogCloudBlockBlob -subscriptionId "yourSubscriptionId" -NSGResourceGroupName "FLOWLOGSVALIDATIONWESTCENTRALUS" -NSGName "V2VALIDATIONVM-NSG" -storageAccountName "yourStorageAccountName" -storageAccountResourceGroup "ml-rg" -macAddress "000D3AF87856" -logTime "11/11/2018 03:00" 
-
-$blockList = Get-NSGFlowLogBlockList -CloudBlockBlob $CloudBlockBlob
+$blockList = Get-VNetFlowLogBlockList -CloudBlockBlob $CloudBlockBlob
 ```
 
-# [**Virtual network flow logs**](#tab/vnet)
+# [**Network security group flow logs**](#tab/nsg)
 
-The following PowerShell script sets up the variables needed to query the virtual network flow log blob and list the blocks within the [CloudBlockBlob](/dotnet/api/microsoft.azure.storage.blob.cloudblockblob) block blob. Update the script to contain valid values for your environment.
+Update the PowerShell script with valid values for your environment, specifically `yourSubscriptionId`, `FLOWLOGSVALIDATIONWESTCENTRALUS`, `V2VALIDATIONVM-NSG`, `yourStorageAccountName`, `ml-rg`, `000D3AF87856`, `11/11/2018 03:00`. For example, `yourSubscriptionId` should be replaced with your Azure subscription ID.
 
 ```powershell
-function Get-VNetFlowLogCloudBlockBlob {
+function Get-NSGFlowLogCloudBlockBlob {
     [CmdletBinding()]
     param (
         [string] [Parameter(Mandatory=$true)] $subscriptionId,
-        [string] [Parameter(Mandatory=$true)] $region,
-        [string] [Parameter(Mandatory=$true)] $VNetFlowLogName,
+        [string] [Parameter(Mandatory=$true)] $NSGResourceGroupName,
+        [string] [Parameter(Mandatory=$true)] $NSGName,
         [string] [Parameter(Mandatory=$true)] $storageAccountName,
         [string] [Parameter(Mandatory=$true)] $storageAccountResourceGroup,
         [string] [Parameter(Mandatory=$true)] $macAddress,
         [datetime] [Parameter(Mandatory=$true)] $logTime
     )
 
     process {
-        # Retrieve the primary storage account key to access the virtual network flow logs
+        # Retrieve the primary storage account key to access the network security group logs
         $StorageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName $storageAccountResourceGroup -Name $storageAccountName).Value[0]
 
         # Setup a new storage context to be used to query the logs
-        $ctx = New-AzStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $StorageAccountKey
+        $ctx = New-AzStorageContext -StorageAccountName $StorageAccountName -StorageAccountKey $StorageAccountKey
 
-        # Container name used by virtual network flow logs
-        $ContainerName = "insights-logs-flowlogflowevent"
+        # Container name used by network security group flow logs
+        $ContainerName = "insights-logs-networksecuritygroupflowevent"
 
-        # Name of the blob that contains the virtual network flow log
-        $BlobName = "flowLogResourceID=/$($subscriptionId.ToUpper())_NETWORKWATCHERRG/NETWORKWATCHER_$($region.ToUpper())_$($VNetFlowLogName.ToUpper())/y=$($logTime.Year)/m=$(($logTime).ToString("MM"))/d=$(($logTime).ToString("dd"))/h=$(($logTime).ToString("HH"))/m=00/macAddress=$($macAddress)/PT1H.json"
+        # Name of the blob that contains the network security group flow log
+        $BlobName = "resourceId=/SUBSCRIPTIONS/${subscriptionId}/RESOURCEGROUPS/${NSGResourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/${NSGName}/y=$($logTime.Year)/m=$(($logTime).ToString("MM"))/d=$(($logTime).ToString("dd"))/h=$(($logTime).ToString("HH"))/m=00/macAddress=$($macAddress)/PT1H.json"
 
         # Gets the storage blog
         $Blob = Get-AzStorageBlob -Context $ctx -Container $ContainerName -Blob $BlobName
@@ -135,7 +135,7 @@ function Get-VNetFlowLogCloudBlockBlob {
     }
 }
 
-function Get-VNetFlowLogBlockList  {
+function Get-NSGFlowLogBlockList  {
     [CmdletBinding()]
     param (
         [Microsoft.Azure.Storage.Blob.CloudBlockBlob] [Parameter(Mandatory=$true)] $CloudBlockBlob
@@ -149,9 +149,10 @@ function Get-VNetFlowLogBlockList  {
     }
 }
 
-$CloudBlockBlob = Get-VNetFlowLogCloudBlockBlob -subscriptionId "yourSubscriptionId" -region "yourVNetFlowLogRegion" -VNetFlowLogName "yourVNetFlowLogName" -storageAccountName "yourStorageAccountName" -storageAccountResourceGroup "yourStorageAccountRG" -macAddress "0022485D8CF8" -logTime "07/09/2023 03:00" 
 
-$blockList = Get-VNetFlowLogBlockList -CloudBlockBlob $CloudBlockBlob
+$CloudBlockBlob = Get-NSGFlowLogCloudBlockBlob -subscriptionId "yourSubscriptionId" -NSGResourceGroupName "FLOWLOGSVALIDATIONWESTCENTRALUS" -NSGName "V2VALIDATIONVM-NSG" -storageAccountName "yourStorageAccountName" -storageAccountResourceGroup "ml-rg" -macAddress "000D3AF87856" -logTime "11/11/2018 03:00" 
+
+$blockList = Get-NSGFlowLogBlockList -CloudBlockBlob $CloudBlockBlob
 ```
 
 ---
@@ -172,23 +173,25 @@ Mzk1YzQwM2U0ZWY1ZDRhOWFlMTNhYjQ3OGVhYmUzNjk=   2675      True
 ZjAyZTliYWE3OTI1YWZmYjFmMWI0MjJhNzMxZTI4MDM=      2      True
 ```
 
-
 ## Read the block blob
 
 In this section, you read the `$blocklist` variable to retrieve the data. In the following example, we iterate through the blocklist to read the bytes from each block and store them in an array. Use the [DownloadRangeToByteArray](/dotnet/api/microsoft.azure.storage.blob.cloudblob.downloadrangetobytearray) method to retrieve the data.
 
-# [**Network security group flow logs**](#tab/nsg)
+# [**Virtual network flow logs**](#tab/vnet)
 
 ```powershell
-function Get-NSGFlowLogReadBlock  {
+function Get-VNetFlowLogReadBlock  {
     [CmdletBinding()]
     param (
         [System.Array] [Parameter(Mandatory=$true)] $blockList,
         [Microsoft.Azure.Storage.Blob.CloudBlockBlob] [Parameter(Mandatory=$true)] $CloudBlockBlob
 
     )
+    $blocklistResult = $blockList.Result
+    
     # Set the size of the byte array to the largest block
-    $maxvalue = ($blocklist | measure Length -Maximum).Maximum
+    $maxvalue = ($blocklistResult | Measure-Object Length -Maximum).Maximum
+    Write-Host "Max value is ${maxvalue}"
 
     # Create an array to store values in
     $valuearray = @()
@@ -197,16 +200,16 @@ function Get-NSGFlowLogReadBlock  {
     $index = 0
 
     # Loop through each block in the block list
-    for($i=0; $i -lt $blocklist.count; $i++)
+    for($i=0; $i -lt $blocklistResult.count; $i++)
     {
         # Create a byte array object to story the bytes from the block
         $downloadArray = New-Object -TypeName byte[] -ArgumentList $maxvalue
 
         # Download the data into the ByteArray, starting with the current index, for the number of bytes in the current block. Index is increased by 3 when reading to remove preceding comma.
-        $CloudBlockBlob.DownloadRangeToByteArray($downloadArray,0,$index, $($blockList[$i].Length)) | Out-Null
+        $CloudBlockBlob.DownloadRangeToByteArray($downloadArray,0,$index, $($blockListResult[$i].Length)) | Out-Null
 
         # Increment the index by adding the current block length to the previous index
-        $index = $index + $blockList[$i].Length
+        $index = $index + $blockListResult[$i].Length
 
         # Retrieve the string from the byte array
 
@@ -218,24 +221,22 @@ function Get-NSGFlowLogReadBlock  {
     #Return the Array
     $valuearray
 }
-$valuearray = Get-NSGFlowLogReadBlock -blockList $blockList -CloudBlockBlob $CloudBlockBlob
+
+$valuearray = Get-VNetFlowLogReadBlock -blockList $blockList -CloudBlockBlob $CloudBlockBlob
 ```
 
-# [**Virtual network flow logs**](#tab/vnet)
+# [**Network security group flow logs**](#tab/nsg)
 
 ```powershell
-function Get-VNetFlowLogReadBlock  {
+function Get-NSGFlowLogReadBlock  {
     [CmdletBinding()]
     param (
         [System.Array] [Parameter(Mandatory=$true)] $blockList,
         [Microsoft.Azure.Storage.Blob.CloudBlockBlob] [Parameter(Mandatory=$true)] $CloudBlockBlob
 
     )
-    $blocklistResult = $blockList.Result
-    
     # Set the size of the byte array to the largest block
-    $maxvalue = ($blocklistResult | Measure-Object Length -Maximum).Maximum
-    Write-Host "Max value is ${maxvalue}"
+    $maxvalue = ($blocklist | measure Length -Maximum).Maximum
 
     # Create an array to store values in
     $valuearray = @()
@@ -244,16 +245,16 @@ function Get-VNetFlowLogReadBlock  {
     $index = 0
 
     # Loop through each block in the block list
-    for($i=0; $i -lt $blocklistResult.count; $i++)
+    for($i=0; $i -lt $blocklist.count; $i++)
     {
         # Create a byte array object to story the bytes from the block
         $downloadArray = New-Object -TypeName byte[] -ArgumentList $maxvalue
 
         # Download the data into the ByteArray, starting with the current index, for the number of bytes in the current block. Index is increased by 3 when reading to remove preceding comma.
-        $CloudBlockBlob.DownloadRangeToByteArray($downloadArray,0,$index, $($blockListResult[$i].Length)) | Out-Null
+        $CloudBlockBlob.DownloadRangeToByteArray($downloadArray,0,$index, $($blockList[$i].Length)) | Out-Null
 
         # Increment the index by adding the current block length to the previous index
-        $index = $index + $blockListResult[$i].Length
+        $index = $index + $blockList[$i].Length
 
         # Retrieve the string from the byte array
 
@@ -265,8 +266,7 @@ function Get-VNetFlowLogReadBlock  {
     #Return the Array
     $valuearray
 }
-
-$valuearray = Get-VNetFlowLogReadBlock -blockList $blockList -CloudBlockBlob $CloudBlockBlob
+$valuearray = Get-NSGFlowLogReadBlock -blockList $blockList -CloudBlockBlob $CloudBlockBlob
 ```
 
 ---
@@ -275,6 +275,50 @@ The `$valuearray` array contains now the string value of each block. To verify t
 
 The results of this value are shown in the following example:
 
+# [**Virtual network flow logs**](#tab/vnet)
+
+```json
+{
+    "time": "2023-07-09T03:59:30.2837112Z",
+    "flowLogVersion": 4,
+    "flowLogGUID": "abcdef01-2345-6789-0abc-def012345678",
+    "macAddress": "0022485D8CF8",
+    "category": "FlowLogFlowEvent",
+    "flowLogResourceID": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS/FLOWLOGS/MYVNET-MYRESOURCEGROUP-FLOWLOG",
+    "targetResourceID": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",
+    "operationName": "FlowLogFlowEvent",
+    "flowRecords": {
+        "flows": [
+            {
+                "aclID": "00000000-1234-abcd-ef00-c1c2c3c4c5c6",
+                "flowGroups": [
+                    {
+                        "rule": "BlockHighRiskTCPPortsFromInternet",
+                        "flowTuples": [
+                            "1688875131557,45.119.212.87,192.168.0.4,53018,3389,6,I,D,NX,0,0,0,0"
+                        ]
+                    },
+                    {
+                        "rule": "Internet",
+                        "flowTuples": [
+                            "1688875103311,35.203.210.145,192.168.0.4,56688,52113,6,I,D,NX,0,0,0,0",
+                            "1688875119073,162.216.150.87,192.168.0.4,50111,9920,6,I,D,NX,0,0,0,0",
+                            "1688875119910,205.210.31.253,192.168.0.4,54699,1801,6,I,D,NX,0,0,0,0",
+                            "1688875121510,35.203.210.49,192.168.0.4,49250,33013,6,I,D,NX,0,0,0,0",
+                            "1688875121684,162.216.149.206,192.168.0.4,49776,1290,6,I,D,NX,0,0,0,0",
+                            "1688875124012,91.148.190.134,192.168.0.4,57963,40544,6,I,D,NX,0,0,0,0",
+                            "1688875138568,35.203.211.204,192.168.0.4,51309,46956,6,I,D,NX,0,0,0,0",
+                            "1688875142490,205.210.31.18,192.168.0.4,54140,30303,6,I,D,NX,0,0,0,0",
+                            "1688875147864,194.26.135.247,192.168.0.4,53583,20232,6,I,D,NX,0,0,0,0"
+                        ]
+                    }
+                ]
+            }
+        ]
+    }
+}
+```
+
 # [**Network security group flow logs**](#tab/nsg)
 
 ```json
@@ -336,50 +380,6 @@ The results of this value are shown in the following example:
 }
 ```
 
-# [**Virtual network flow logs**](#tab/vnet)
-
-```json
-{
-    "time": "2023-07-09T03:59:30.2837112Z",
-    "flowLogVersion": 4,
-    "flowLogGUID": "abcdef01-2345-6789-0abc-def012345678",
-    "macAddress": "0022485D8CF8",
-    "category": "FlowLogFlowEvent",
-    "flowLogResourceID": "/SUBSCRIPTIONS/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/RESOURCEGROUPS/NETWORKWATCHERRG/PROVIDERS/MICROSOFT.NETWORK/NETWORKWATCHERS/NETWORKWATCHER_EASTUS/FLOWLOGS/MYVNET-MYRESOURCEGROUP-FLOWLOG",
-    "targetResourceID": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet",
-    "operationName": "FlowLogFlowEvent",
-    "flowRecords": {
-        "flows": [
-            {
-                "aclID": "00000000-1234-abcd-ef00-c1c2c3c4c5c6",
-                "flowGroups": [
-                    {
-                        "rule": "BlockHighRiskTCPPortsFromInternet",
-                        "flowTuples": [
-                            "1688875131557,45.119.212.87,192.168.0.4,53018,3389,6,I,D,NX,0,0,0,0"
-                        ]
-                    },
-                    {
-                        "rule": "Internet",
-                        "flowTuples": [
-                            "1688875103311,35.203.210.145,192.168.0.4,56688,52113,6,I,D,NX,0,0,0,0",
-                            "1688875119073,162.216.150.87,192.168.0.4,50111,9920,6,I,D,NX,0,0,0,0",
-                            "1688875119910,205.210.31.253,192.168.0.4,54699,1801,6,I,D,NX,0,0,0,0",
-                            "1688875121510,35.203.210.49,192.168.0.4,49250,33013,6,I,D,NX,0,0,0,0",
-                            "1688875121684,162.216.149.206,192.168.0.4,49776,1290,6,I,D,NX,0,0,0,0",
-                            "1688875124012,91.148.190.134,192.168.0.4,57963,40544,6,I,D,NX,0,0,0,0",
-                            "1688875138568,35.203.211.204,192.168.0.4,51309,46956,6,I,D,NX,0,0,0,0",
-                            "1688875142490,205.210.31.18,192.168.0.4,54140,30303,6,I,D,NX,0,0,0,0",
-                            "1688875147864,194.26.135.247,192.168.0.4,53583,20232,6,I,D,NX,0,0,0,0"
-                        ]
-                    }
-                ]
-            }
-        ]
-    }
-}
-```
-
 ---
 
 ## Related content
