--- title: "Flow/Firewall Log Collection" slug: "flow-firewall-log-collection" description: "Learn to set up Azure flow and firewall logs for effective network monitoring and analytics with Kentik, enhancing your Azure VNet security and visibility." updated: 2026-04-29T14:07:52Z published: 2026-04-29T14:07:52Z stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://kb.kentik.com/llms.txt > Use this file to discover all available pages before exploring further. # Flow/Firewall Log Collection This article covers how to set up Azure flow and firewall logs in [**Kentik**](/v1/docs/kentik-for-azure). ## Azure Flow Log Collection Kentik supports [**Azure flow logs**](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview), allowing network traffic data from Azure to be integrated with other sources for visualization, monitoring, alerting, and analytics in the Kentik portal. ![Diagram illustrating a hybrid network architecture with various subnets and gateways.](https://cdn.us.document360.io/082e25b5-afce-42d4-8f47-70bd3f1d02b7/Images/Documentation/Azure-Hybrid_Cloud-299h674w.png) *An example hybrid network architecture with on-prem and an Azure VNet.* **Key Points**: - **Flow Logging Service**: - Provided by Azure Monitor under the namespace `Microsoft.Insights`. - Flow logs are generated by VNets or NSGs in your Azure subscription. - Logs capture ingress and egress traffic and are structured in JSON format (see Azure docs on [**Log format**](https://learn.microsoft.com/en-us/azure/network-watcher/vnet-flow-logs-overview#log-format)). - **Log Export Process**: - Logs are not consumed directly from resources. Instead, they are exported to a storage account that aggregates logs from NSGs/VNets in the same location and resource group. ### NSG Flow Logs vs. VNet Flow Logs Azure supports the collection of both VNet flow logs and NSG flow logs, as compared here: - **NSG Flow Logs**: Capture IP traffic flowing through an NSG. - NSGs are used to filter network traffic to and from Azure resources in a virtual network. - NSG flow logs provide detailed information about each flow, including source and destination IP addresses, ports, protocol, and whether the traffic was allowed or denied by the NSG rule. - Offer granular visibility at the NSG level, useful for understanding security group efficacy and troubleshooting access issues for specific subnets or VMs. - **VNet Flow Logs**: Capture traffic entering and leaving the VNet. - Ideal when managing complex network topologies with many NSGs. - Simplify troubleshooting and security monitoring for the entire virtual network. > [!TIP] > **TIP**: Kentik recommends following Microsoft’s guidance to use VNet flow logs instead of NSG flow logs going forward (see [**Microsoft's flow logging recommendation**](https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview?tabs=Americas)). ### Azure Flow Log Retention Managing the retention of Azure flow logs is crucial for minimizing cloud storage costs. Here’s how retention is handled: - **Retention Setting**: Determines how long each log is kept after creation. It can be configured in two ways: - **Via Script (Recommended)**: - Default retention is set to two days. - Modify the retention duration in the script as described in step #4 of [**Generate PowerShell Script**](/v1/docs/automated-configuration-powershell#generate-powershell-script). - **Manual Configuration**: Adjust the **Retention** setting in Azure’s **Flow logs settings** dialog. - **Retention Range**: - Specified as an integer in whole days. - Valid range is from 1 to 365 days. ### Enable VNet/NSG Flow Log Export To enable VNet or NSG flow log export to a storage account, follow these steps: 1. Enable the [**Network Watcher**](/v1/docs/automated-configuration-powershell#azure-script-operations) service in the region where your resources reside: 1. In the [**Azure Portal**](https://portal.azure.com/), search for and select **Network Watcher**. 2. Ensure the status for your target region is **Enabled**. 2. Configure the flow logs: 1. In the Network Watcher menu, select **Flow logs**. 2. Click **+ Create** to set up a new flow log. 3. For **Target Resource**, select the VNet or NSG you wish to monitor. 4. Select the **Storage account** you will use for Kentik. 5. Finalize the setting to begin the export. ## Azure Firewall Log Collection In addition to VNet and NSG flow logs, Kentik supports the ingestion of Azure Firewall logs to provide deeper visibility into application and network-level security events. > [!NOTE] > **Notes**: > > - Firewall logs must be sent to the **same** **storage account** used for your VNet flow logs. > - In addition to the Azure docs linked below, see the process steps in [**Enable Firewall Log Export**](/v1/docs/flow-firewall-log-collection#enable-firewall-log-export). ### Supported Firewall Log Types Kentik can process the following Azure Firewall log types (click a type to view the related Azure doc): - [**azfwapplicationrule**](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule): Logs for application rules associated with a firewall. - [**azfwnetworkrule**](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwnetworkrule): Logs for network rules associated with a firewall. - [**Legacy Azure diagnostics logs**](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-logs/microsoft-network-azurefirewalls-logs): Includes support for `AzureFirewallNetworkRule` and `AzureFirewallApplicationRule`. ### Enable Firewall Log Export To enable Azure Firewall log export to the **same storage account** used for your VNet/NSG flow logs, follow these steps: 1. Create a diagnostic setting for one or more log categories: 1. In the [**Azure Portal**](https://portal.azure.com/), navigate to your Azure Firewall resource. 2. In the left-hand menu under Monitoring, select **Diagnostic settings**. 3. Click **+ Add diagnostic setting**. 4. In the Log categories section, select one or more of the following: - **azfwapplicationrule**: For application-level filtering logs. - **azfwnetworkrule**: For network-level filtering logs. - **AzureFirewallNetworkRule** / **AzureFirewallApplicationRule**: If using legacy log formats. 5. Under Destination details, check the box for **Archive to a storage account**. 6. Select the **Subscription** and the specific **Storage account** that Kentik is configured to monitor.