Closed maniaX1 closed 3 years ago
Hi @maniaX1 ,
actually the variable "flowLogs" inventories the NSG with Flow Logs AND Traffic Analytics. It will switch to 1 when both options will be enabled.
You can check that with the following "Azure Resource Graph Explorer" command, it will output all NSG with Flow Logs & Traffic Analytics -->
Resources
| where type =~ 'Microsoft.Network/networkWatchers/flowlogs'
| extend provisioningState = parse_json(properties).provisioningState
| extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId)
| extend targetResourceId = tostring(parse_json(properties).targetResourceId)
| where workspaceResourceId != "" and provisioningState == "Succeeded"
| project ["NSG with Traffic Analytics"]=targetResourceId
Yep @JamesDLD you are correct, but it would be great to have there one more column with Flow Logs since you can enable just Flow Logs and Traffic Analytics can be still disabled. I am trying to figure it out but without success :-(
@maniaX1 just merged @JamesDLD pull request, should be fixed now.
Thank you for the feedback @maniaX1 !
We now have both info, Flow Logs & Traffic Analytics
Your are welcome @JamesDLD. Thanks for modification now it looks perfect!
Don't we have the possibility of this in the dashboard @scautomation @maniaX1
Hello Billy, I tried this workbook and it is really cool!! When I tested all possibilities I noticed that in Network/Network Details was error on NSG tab:
Reason was that I haven't configured any Flow Logs yet in my LAB environment.
After I enabled Flow Logs on some NSG then record in "microsoft.network/networkwatchers/flowlogs" was created and all started to work. But anyway for the first time there was an error. I just wondered and tried to change that in original queries to display also Flow Logs status but without any chance :-(
Queries I used:
Resources | where type =~ 'Microsoft.Network/networkWatchers/flowlogs' | extend provisioningState = parse_json(properties).provisioningState | extend status = parse_json(properties).enabled | extend workspaceResourceId = tostring(parse_json(parse_json(parse_json(properties).flowAnalyticsConfiguration).networkWatcherFlowAnalyticsConfiguration).workspaceResourceId) | extend targetResourceId = iff(notempty(workspaceResourceId) and provisioningState == "Succeeded" and status == "true", tostring(parse_json(properties).targetResourceId), "null" ) | distinct targetResourceId
Resources | where type =~ 'microsoft.network/networksecuritygroups' | extend traficAnalysis = id in~ ({nsgWithflowLogs}) | extend flowLogs = properties.status in~ ({nsgWithflowLogs}) | project subscriptionId, ['Resource group'] = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup), ['Network Security Group'] = id, ["Location"]=location, ["Flow Logs"]=flowLogs, ["Traffic Analytics"]=traficAnalysis
But result is this one:![image](https://user-images.githubusercontent.com/33328622/102238439-0fa0b780-3ef6-11eb-8835-790d68339e98.png)
There should be true instead of zeroes. Any idea? Thank you!