Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..
1158 views

Azure NSG -> JSON Flex Connector?

HI,

I have the following JSON Logs from Azure NSG

https://gist.github.com/dimitertodorov/4e5d823a6864358b6193131a8cc177a3

It appears that MS/HP has not quite yet created a parser definition for extracting data from that structure.

Could anyone help.

I am mainly interested in how I would break out the flowTuple objects into indivudal events.

Here is some info on how ElasticSearch handles it

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-visualize-nsg-flow-logs-open-source-tools

Thanks,

Dimiter

Labels (3)
0 Likes
5 Replies
Highlighted
Regular Contributor.
Regular Contributor.

Hi Dimiter, I'm currently about to look into this as well.So, I'm also interested. How are you able to/or how do you plan to aggregate the data before the flexconnector can parse it?
0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

I am trying to figure it out, but unfortunately, because each JSON object contains data for multiple CEF events, I don't know how I would to the splitting.
0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Dimiter, where you able to find a solution to this? I've been looking at this all week without any success.
0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

So, I ended up writing my own parser to extract the logs.
0 Likes
Highlighted
Honored Contributor.. Honored Contributor..
Honored Contributor..

So, I ended up writing my own parser to extract the logs.

See https://github.com/dimitertodorov/nsg-parser

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.