Configuring Graylog to view Azure NSG flow logs

I’ve been trying to analyze Azure NSG Flow logs with Graylog as described in this MS document Analyze Azure network security group flow logs - Graylog | Microsoft Learn. I wasn’t able to view any logs so I decided to use version 4.3 of Graylog but I am unable to configure it like the document describes since there is no longer a logstash.conf file to configure to point to the Azure Storage account. Anyone been able to configure this?

Hello && welcome @hughesst

I have not, but…

From what I read, think the logs are in JSON format. And this part here

This shows to use Logstash to flatten the flow logs makes the logs easier to organize and search in Graylog. Since that also states to use GELF UDP I’m wondering is you could use GELF UDP Input with JSON extractor, just an idea.

Thanks gsmith,

with the previous configuration using the logstash, I could configure the logstash.conf file to point to the azure storage account by giving it its name and key to access the logs. Is there a way to do the same with graylog without using logstash?


I know there are some post in here for that but TBH I haven’t used LogStash since OpenDistro for Elasticsearch was around. You Maybe able to use Graylog Sidecar and/or perhaps the Input called Azure Event HUB.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.