Configure Hit Counters

Storage retention via diagnostic settings is being deprecated and new rules can no longer be configured. Microsoft recommends to maintain your existing retention rules please migrate to Azure Storage Lifecycle Management by September 30, 2025.

On September 30, 2027, network security group (NSG) flow logs will be retired. As part of this retirement, you'll no longer be able to create new NSG flow logs starting June 30, 2025. Microsoft recommends migrating to virtual network flow logs.

Permissions needed for the roles

General role: Reader to view existing Azure resources
Storage role: Storage Blob Data Reader
Storage Account: Reader and Data Access
Microsoft.Storage/storageAccounts/listKeys/action

Using the Azure portal

Log on to Microsoft Azure portal.
In the search box, type “network security groups” and select Network security groups from the search results.
Select the NSG for which you want to enable logging.
In Monitoring, select Diagnostic settings.
Click Add diagnostic setting:
1. Enter a name for the diagnostic setting (e.g., “myNsgDiagnostic”).
2. For Logs, select either allLogs or select individual categories of logs (such as Event and Rule counter).
3. In Destination details, select Archive to a storage account.
4. Configure the storage account where you want to store the logs.
5. Click Save.

Using Azure PowerShell

Use the Azure Az PowerShell module to interact with Azure.
Run the following commands (you can use Azure Cloud Shell or install the Azure PowerShell module on your computer):

# Sign in to Azure (if not already done)

Connect-AzAccount

# Enable resource logging for the NSG and send logs to a storage account

Set-AzDiagnosticSetting -ResourceId "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Network/networkSecurityGroups/{nsg-name}" -Name "myNsgDiagnostic" -StorageAccountId "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Storage/storageAccounts/{storage-account-name}" -Enabled $true -Categories "Event", "RuleCounter"

Create Azure NSG

To create an Azure Network Security Group (NSG) flow log using the Azure portal, follow these steps.

Prerequisites

You’ll need an Azure account with an active subscription. If you don’t have one, you can create an account for free.
Ensure that the Insights provider is registered. If not, follow these steps:
- In the Azure portal, search for “subscriptions.”
- Select Subscriptions from the search results.
- Choose the Azure subscription you want to enable the provider for.
- In Settings, select Resource providers.
- Filter by typing insight in the field box.
- Confirm that the status of the provider displayed is Registered. If not, select the Microsoft.Insights provider and click Register.

Create an NSG Flow Log

Log on to the Azure portal.
In the search box, type “network watcher” and select Network Watcher from the search results.
In Logs, select Flow logs.
Click + Create or the Create flow log button.
Configure the following settings:
- Project details:
  - Subscription: Select the Azure subscription of your network security group (NSG) that you want to log.
  - Network security group: Choose your NSG (e.g., “myNSG”).
  - Flow Log Name: Enter a name for the flow log (or leave the default).
- Instance details:
  - Subscription: Select the Azure subscription of your storage account.
  - Storage Accounts: Choose the storage account where you want to save the flow logs. You can also create a new storage account.
  - Retention (days): Set a retention time for the logs (enter 0 to retain data indefinitely).
Once you’ve configured the settings, click Create.

Learn more

To learn about NSG flow logs, review this Microsoft documentation:

https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview?tabs=Americas

To learn about adding custom roles to the Azure app registration, review this Microsoft documentation:

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles