Home / Network Security / Fix Azure NSG Flow Logs Not Capturing

Network Security

Fix Azure NSG Flow Logs Not Capturing

Resolve Azure NSG flow log capture issues by checking storage account configuration, Network Watcher status, and flow log settings.

Published: Apr 2, 20266 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

Azure NSG flow logs provide visibility into network traffic through Network Security Groups. When flow logs stop capturing, you lose network visibility for security analysis, troubleshooting, and compliance auditing.

Symptoms

No flow logs in storage:

```bash $ az storage blob list \ --account-name mystorageaccount \ --container-name insights-logs-networksecuritygroupflowevent \ --query '[].name'

# Empty or missing recent logs ```

Flow log status disabled:

```bash $ az network watcher flow-log show \ --resource-group my-rg \ --nsg my-nsg

# Returns empty or "enabled: false" ```

Network Watcher not found:

```bash $ az network watcher show --location eastus

"ResourceNotFound" : "The resource 'NetworkWatcher' could not be found" ```

Common Causes

1.Network Watcher not enabled - Service not provisioned in region
2.Flow logs disabled - Feature turned off for NSG
3.Storage account issues - Deleted, inaccessible, or misconfigured
4.Insufficient permissions - Network Watcher can't write to storage
5.Retention policy deleted logs - Logs expired and removed
6.Traffic Analytics disabled - Required for enrichment
7.NSG not attached - No NSG on subnet or NIC

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Network Watcher Status

```bash # Check if Network Watcher exists in region az network watcher list --query '[].{Name:name,Location:location}'

# Create Network Watcher if missing az network watcher create \ --resource-group NetworkWatcherRG \ --location eastus \ --name NetworkWatcher_eastus ```

Step 2: Check Flow Log Configuration

```bash # Show flow log configuration for NSG az network watcher flow-log show \ --location eastus \ --nsg my-nsg \ --query '{Enabled:enabled,Storage:storageId,Retention:retentionPolicy}'

# List all flow logs az network watcher flow-log list --location eastus ```

Step 3: Enable Flow Logs

```bash # Enable flow logs for NSG az network watcher flow-log configure \ --location eastus \ --nsg my-nsg \ --enabled true \ --storage-account mystorageaccount \ --retention 90 \ --format JSON

# Enable with Traffic Analytics az network watcher flow-log configure \ --location eastus \ --nsg my-nsg \ --enabled true \ --storage-account mystorageaccount \ --retention 90 \ --traffic-analytics true \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace ```

Step 4: Verify Storage Account

```bash # Check storage account exists az storage account show \ --name mystorageaccount \ --resource-group my-rg \ --query '{Name:name,Status:provisioningState,Kind:kind}'

# Check storage account firewall az storage account show \ --name mystorageaccount \ --resource-group my-rg \ --query 'networkAcls'

# Allow Azure services if firewall enabled az storage account update \ --name mystorageaccount \ --resource-group my-rg \ --bypass AzureServices ```

Step 5: Check Storage Account Permissions

```bash # Network Watcher needs Microsoft.Storage/storageAccounts/listKeys/action # This is typically handled automatically, but verify:

# Get Network Watcher resource ID NETWORK_WATCHER_ID=$(az network watcher show --location eastus --query id -o tsv)

# Check role assignments az role assignment list \ --assignee $NETWORK_WATCHER_ID \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount

# If missing, assign Storage Blob Data Contributor az role assignment create \ --assignee $NETWORK_WATCHER_ID \ --role "Storage Blob Data Contributor" \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Storage/storageAccounts/mystorageaccount ```

Step 6: Verify Flow Log Container

```bash # Check container exists az storage container show \ --account-name mystorageaccount \ --name insights-logs-networksecuritygroupflowevent \ --query '{Name:name,PublicAccess:publicAccess}'

# Create container if missing az storage container create \ --account-name mystorageaccount \ --name insights-logs-networksecuritygroupflowevent ```

Step 7: Test Flow Log Capture

```bash # Generate traffic through NSG # From a VM in the subnet: ping 8.8.8.8 curl https://example.com

# Wait 5-10 minutes for logs to appear sleep 600

# Check for new logs az storage blob list \ --account-name mystorageaccount \ --container-name insights-logs-networksecuritygroupflowevent \ --query "[?contains(name, '$(date -u +%Y/%m/%d)')].name" \ --output tsv ```

Step 8: Check NSG Association

```bash # Verify NSG is attached to subnet or NIC az network nsg show \ --name my-nsg \ --resource-group my-rg \ --query '{Subnets:subnets,NetworkInterfaces:networkInterfaces}'

# If empty, attach NSG to subnet az network vnet subnet update \ --vnet-name my-vnet \ --name my-subnet \ --resource-group my-rg \ --network-security-group my-nsg ```

Step 9: Enable Traffic Analytics

bash

# Traffic Analytics provides enriched flow data
az network watcher flow-log configure \
  --location eastus \
  --nsg my-nsg \
  --enabled true \
  --storage-account mystorageaccount \
  --retention 90 \
  --traffic-analytics true \
  --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \
  --interval 10  # Process every 10 minutes

Step 10: Monitor Flow Log Health

```bash # Set up alert for flow log failures az monitor metrics alert create \ --name nsg-flow-log-health \ --resource-group my-rg \ --scopes /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/networkSecurityGroups/my-nsg \ --condition "avg FlowLogCount < 1" \ --window-size 1h

NSG Flow Log Structure

bash

storage-account/
  insights-logs-networksecuritygroupflowevent/
    resourceId=/SUBSCRIPTIONS/.../RESOURCEGROUPS/.../PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/my-nsg/
      y=2024/
        m=01/
          d=15/
            h=10/
              m=00/
                PT1H.json

Verification

```bash # After enabling flow logs # Check configuration az network watcher flow-log show \ --location eastus \ --nsg my-nsg \ --query '{Enabled:enabled,Storage:storageId,Retention:retentionPolicy.days,Format:format.type}'

# Should show: # Enabled: true # Retention: 90

# Generate test traffic and verify logs appear az storage blob list \ --account-name mystorageaccount \ --container-name insights-logs-networksecuritygroupflowevent \ --query "reverse(sort_by([], &properties.lastModified))[0:5].name"

# Should show recent flow log files ```

[Fix Azure Network Security Group Blocking Traffic](/articles/fix-aws-security-group-blocking)
[Fix Azure Storage Account Inaccessible](/articles/fix-azure-storage-account-inaccessible)
[Fix Azure Traffic Analytics Not Working](/articles/fix-azure-traffic-analytics-not-working)

[Technical troubleshooting: Fix Certificate Chain Incomplete SSL Validation Is](certificate-chain-incomplete-ssl-validation)
[Fix Ddos Attack Mitigation Waf Rate Limiting Issue in Network Security](ddos-attack-mitigation-waf-rate-limiting)
[Fix DNS Hijacking Spoofing Attack Issue in Network Security](dns-hijacking-spoofing-attack)
[Fix firewall iptables rules not persisting across reboot Issue in Network-Security](firewall-iptables-rules-not-persisting-across-reboot)
[Fix firewall rule blocking legitimate traffic Issue in Network-Security](firewall-rule-blocking-legitimate-traffic)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

Azure NSG Flow Logs Not Capturing Azure NSG Flow Logs Not Capturing Network Security Azure NSG Flow Logs Not Capturing troubleshooting Azure NSG Flow Logs Not Capturing fix Resolve Azure NSG flow log capture issues by checking storage account configuration, Network Watcher status, and flow log settings Network Security Resolve Azure NSG flow log capture issues by checking storage account configuration, Network Watcher status, and flow log settings

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Network Security Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this network-security troubleshooting guide applies to my situation?

This guide is designed for network-security issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these network-security troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of network-security issue?

Most network-security issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this network-security issue from happening again?

Regular maintenance, monitoring, and following best practices for network-security configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 2, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation