Flow Logs - Create Or Update
Create or update a flow log for the specified network security group.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkWatchers/{networkWatcherName}/flowLogs/{flowLogName}?api-version=2024-05-01
URI Parameters
Name | In | Required | Type | Description |
path | True |
string |
The name of the flow log. |
path | True |
string |
The name of the network watcher. |
path | True |
string |
The name of the resource group. |
path | True |
string |
The subscription credentials which uniquely identify the Microsoft Azure subscription. The subscription ID forms part of the URI for every service call. |
query | True |
string |
Client API version. |
Request Body
Name | Required | Type | Description |
properties.storageId | True |
string |
ID of the storage account which is used to store the flow log. |
properties.targetResourceId | True |
string |
ID of network security group to which flow log will be applied. |
id |
string |
Resource ID. |
identity |
FlowLog resource Managed Identity |
location |
string |
Resource location. |
properties.enabled |
boolean |
Flag to enable/disable flow logging. |
properties.enabledFilteringCriteria |
string |
Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged. |
properties.flowAnalyticsConfiguration |
Parameters that define the configuration of traffic analytics. |
properties.format |
Parameters that define the flow log format. |
properties.retentionPolicy |
Parameters that define the retention policy for flow log. |
tags |
object |
Resource tags. |
Name | Type | Description |
200 OK |
Update successful. The operation returns the resulting flow log resource. |
201 Created |
Request successful. The operation returns the resulting flow log resource. |
Other Status Codes |
Error response describing why the operation failed. |
Azure Active Directory OAuth2 Flow.
Authorization URL:
Name | Description |
user_impersonation | impersonate your user account |
Create or update flow log
Sample request
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw1/flowLogs/fl?api-version=2024-05-01
"location": "centraluseuap",
"properties": {
"targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
"storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
"enabledFilteringCriteria": "srcIP= || dstPort=56891",
"enabled": true,
"format": {
"type": "JSON",
"version": 1
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {}
Sample response
"name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
"etag": "W/\"00000000-0000-0000-0000-000000000000\"",
"properties": {
"provisioningState": "Updating",
"targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
"targetResourceGuid": "00000000-0000-0000-0000-000000000000",
"storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
"enabledFilteringCriteria": "srcIP= || dstPort=56891",
"enabled": true,
"flowAnalyticsConfiguration": {},
"retentionPolicy": {
"days": 0,
"enabled": false
"format": {
"type": "JSON",
"version": 1
"type": "Microsoft.Network/networkWatchers/FlowLogs",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
"clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
"principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
"location": "centraluseuap"
"name": "Microsoft.Networkdesmond-rgdesmondcentral-nsg",
"id": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkWatchers/nw/FlowLogs/fl",
"etag": "W/\"00000000-0000-0000-0000-000000000000\"",
"properties": {
"provisioningState": "Succeeded",
"targetResourceId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Network/networkSecurityGroups/desmondcentral-nsg",
"targetResourceGuid": "00000000-0000-0000-0000-000000000000",
"storageId": "/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.Storage/storageAccounts/nwtest1mgvbfmqsigdxe",
"enabledFilteringCriteria": "srcIP= || dstPort=56891",
"enabled": true,
"flowAnalyticsConfiguration": {},
"retentionPolicy": {
"days": 0,
"enabled": false
"format": {
"type": "JSON",
"version": 1
"type": "Microsoft.Network/networkWatchers/FlowLogs",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id1": {
"clientId": "c16d15e1-f60a-40e4-8a05-df3d3f655c14",
"principalId": "e3858881-e40c-43bd-9cde-88da39c05023"
"location": "centraluseuap"
Name | Description |
Error |
Common error details representation. |
Error |
The error object. |
Flow |
A flow log resource. |
Flow |
Parameters that define the flow log format. |
Flow |
The file type of flow log. |
Managed |
Identity for the resource. |
Provisioning |
The current provisioning state. |
Resource |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. |
Retention |
Parameters that define the retention policy for flow log. |
Traffic |
Parameters that define the configuration of traffic analytics. |
Traffic |
Parameters that define the configuration of traffic analytics. |
User |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
Common error details representation.
Name | Type | Description |
code |
string |
Error code. |
message |
string |
Error message. |
target |
string |
Error target. |
The error object.
Name | Type | Description |
error |
Error |
A flow log resource.
Name | Type | Description |
etag |
string |
A unique read-only string that changes whenever the resource is updated. |
id |
string |
Resource ID. |
identity |
FlowLog resource Managed Identity |
location |
string |
Resource location. |
name |
string |
Resource name. |
properties.enabled |
boolean |
Flag to enable/disable flow logging. |
properties.enabledFilteringCriteria |
string |
Optional field to filter network traffic logs based on SrcIP, SrcPort, DstIP, DstPort, Protocol, Encryption, Direction and Action. If not specified, all network traffic will be logged. |
properties.flowAnalyticsConfiguration |
Parameters that define the configuration of traffic analytics. |
properties.format |
Parameters that define the flow log format. |
properties.provisioningState |
The provisioning state of the flow log. |
properties.retentionPolicy |
Parameters that define the retention policy for flow log. |
properties.storageId |
string |
ID of the storage account which is used to store the flow log. |
properties.targetResourceGuid |
string |
Guid of network security group to which flow log will be applied. |
properties.targetResourceId |
string |
ID of network security group to which flow log will be applied. |
tags |
object |
Resource tags. |
type |
string |
Resource type. |
Parameters that define the flow log format.
Name | Type | Default value | Description |
type |
The file type of flow log. |
version |
integer |
0 |
The version (revision) of the flow log. |
The file type of flow log.
Value | Description |
Identity for the resource.
Name | Type | Description |
principalId |
string |
The principal id of the system assigned identity. This property will only be provided for a system assigned identity. |
tenantId |
string |
The tenant id of the system assigned identity. This property will only be provided for a system assigned identity. |
type |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. |
userAssignedIdentities |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. |
The current provisioning state.
Value | Description |
Deleting | |
Failed | |
Succeeded | |
Updating |
The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine.
Value | Description |
None | |
SystemAssigned | |
SystemAssigned, UserAssigned | |
UserAssigned |
Parameters that define the retention policy for flow log.
Name | Type | Default value | Description |
days |
integer |
0 |
Number of days to retain flow log records. |
enabled |
boolean |
False |
Flag to enable/disable retention. |
Parameters that define the configuration of traffic analytics.
Name | Type | Description |
enabled |
boolean |
Flag to enable/disable traffic analytics. |
trafficAnalyticsInterval |
integer |
The interval in minutes which would decide how frequently TA service should do flow analytics. |
workspaceId |
string |
The resource guid of the attached workspace. |
workspaceRegion |
string |
The location of the attached workspace. |
workspaceResourceId |
string |
Resource Id of the attached workspace. |
Parameters that define the configuration of traffic analytics.
Name | Type | Description |
networkWatcherFlowAnalyticsConfiguration |
Parameters that define the configuration of traffic analytics. |
The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'.
Name | Type | Description |