Share via

az network watcher flow-log

Manage network security group flow logging.

For more information about configuring flow logs visit


Name Description Type Status
az network watcher flow-log create

Create a flow log on a network security group.

Core GA
az network watcher flow-log delete

Delete the specified flow log resource.

Core GA
az network watcher flow-log list

List all flow log resources for the specified Network Watcher.

Core GA
az network watcher flow-log show

Get the flow log configuration of a network security group.

Core GA
az network watcher flow-log update

Update the flow log configuration of a network security group.

Core GA
az network watcher flow-log wait

Place the CLI in a waiting state until a condition is met.

Core GA

az network watcher flow-log create

Create a flow log on a network security group.

az network watcher flow-log create --name
                                   [--enabled {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--format {JSON}]
                                   [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--traffic-analytics {0, 1, f, false, n, no, t, true, y, yes}]


Create a flow log with Network Security Group name

az network watcher flow-log create --location westus --resource-group MyResourceGroup --name MyFlowLog --nsg MyNetworkSecurityGroupName --storage-account account

Create a flow log with VNet name

az network watcher flow-log create --location westus --resource-group MyResourceGroup --name MyFlowLog --vnet MyVNetName --storage-account account

Create a flow log with Subnet name

az network watcher flow-log create --location westus --resource-group MyResourceGroup --name MyFlowLog --vnet MyVNetName --subnet MySubnetName --storage-account account

Create a flow log with NIC name

az network watcher flow-log create --location westus --resource-group MyResourceGroup --name MyFlowLog --nic MyNICName --storage-account account

Create a flow log with Network Security Group ID (could be in other resource group)

az network watcher flow-log create --location westus --name MyFlowLog --nsg MyNetworkSecurityGroupID --storage-account account

Create a flow log with Virtual Network ID (could be in other resource group)

az network watcher flow-log create --location westus --name MyFlowLog --vnet MyVNetID --storage-account account

Create a flow log with Subnet ID (could be in other resource group)

az network watcher flow-log create --location westus --name MyFlowLog --subnet SubnetID --storage-account account

Create a flow log with Network Interface ID (could be in other resource group)

az network watcher flow-log create --location westus --name MyFlowLog --nic MyNetworkInterfaceID --storage-account account

Required Parameters

--name -n

The name of the flow logger.

Optional Parameters


Enable logging. Default: true.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

File type of the flow log.

Accepted values: JSON

FlowLog resource Managed Identity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.


Interval in minutes at which to conduct flow analytics. Temporarily allowed values are 10 and 60.

Default value: 60
--location -l

Location to identify the exclusive Network Watcher under a region. Only one Network Watcher can be existed per subscription and region. When not specified, the location of the resource group will be used.


Version (revision) of the flow log.

Default value: 0

Name or ID of the Network Interface (NIC) Resource.


Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

Name or ID of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Number of days to retain logs.


Name or ID of the storage account in which to save the flow logs. Must be in the same region of flow log.


Name or ID of Subnet.


Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.


Enable traffic analytics. Defaults to true if --workspace is provided.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

Name or ID of the ManagedIdentity Resource.


Name or ID of the Virtual Network Resource.


Name or ID of a Log Analytics workspace. Must be in the same region of flow log.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network watcher flow-log delete

Delete the specified flow log resource.

az network watcher flow-log delete --name
                                   [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]


Delete the specified flow log resource.

az network watcher flow-log delete --location westus2 --name MyFlowLogger

Required Parameters

--name -n

The name of the flow logger.

Optional Parameters

--location -l

Location to identify the exclusive Network Watcher under a region. Only one Network Watcher can be existed per subscription and region. When not specified, the location of the resource group will be used.


Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes
Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network watcher flow-log list

List all flow log resources for the specified Network Watcher.

az network watcher flow-log list [--location]


List all flow log resources for the specified Network Watcher.

az network watcher flow-log list --location westus2

Optional Parameters

--location -l

Location to identify the exclusive Network Watcher under a region. Only one Network Watcher can be existed per subscription and region. When not specified, the location of the resource group will be used.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network watcher flow-log show

Get the flow log configuration of a network security group.

az network watcher flow-log show [--location]


Show NSG flow logs. (Deprecated)

az network watcher flow-log show -g MyResourceGroup --nsg MyNsg

Show NSG flow logs with Azure Resource Management formatted.

az network watcher flow-log show --location MyNetworkWatcher --name MyFlowLog

Optional Parameters

--location -l

Location to identify the exclusive Network Watcher under a region. Only one Network Watcher can be existed per subscription and region.

--name -n

The name of the flow logger.


Argument 'nsg' has been deprecated and will be removed in a future release. Use '--location and --name combination' instead.

Name or ID of the network security group.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network watcher flow-log update

Update the flow log configuration of a network security group.

az network watcher flow-log update --name
                                   [--enabled {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--force-string {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--format {JSON}]
                                   [--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
                                   [--traffic-analytics {0, 1, f, false, n, no, t, true, y, yes}]


Update storage account with name to let resource group identify the storage account and network watcher

az network watcher flow-log update --location westus --resource-group MyResourceGroup --name MyFlowLog --storage-account accountname

Update storage account with ID to let location identify the network watcher

az network watcher flow-log update --location westus --resource-group MyResourceGroup --name MyFlowLog --storage-account accountid

Update Network Security Group on another resource group

az network watcher flow-log update --location westus --resource-group MyAnotherResourceGroup --name MyFlowLog --nsg MyNSG

Update Virtual Network on another resource group

az network watcher flow-log update --location westus --resource-group MyAnotherResourceGroup --name MyFlowLog --vnet MyVNet

Update Subnet on another resource group

az network watcher flow-log update --location westus --resource-group MyAnotherResourceGroup --name MyFlowLog --vnet MyVNet --subnet MySubnet

Update Network Interface on another resource group

az network watcher flow-log update --location westus --resource-group MyAnotherResourceGroup --name MyFlowLog --nic MyNIC

Update Workspace on another resource group

az network watcher flow-log update --location westus --resource-group MyAnotherResourceGroup --name MyFlowLog --workspace MyAnotherLogAnalyticWorkspace

Required Parameters

--name -n

The name of the flow logger.

Optional Parameters


Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.


Enable logging.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

File type of the flow log.

Accepted values: JSON

FlowLog resource Managed Identity Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.


Interval in minutes at which to conduct flow analytics. Temporarily allowed values are 10 and 60.

--location -l

Location to identify the exclusive Network Watcher under a region. Only one Network Watcher can be existed per subscription and region. When not specified, the location of the resource group will be used.


Version (revision) of the flow log.


Name or ID of the Network Interface (NIC) Resource.


Do not wait for the long-running operation to finish.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

Name or ID of the network security group.


Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Number of days to retain logs.


Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.


Name or ID of the storage account in which to save the flow logs. Must be in the same region of flow log.


Name or ID of Subnet.


Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.


Enable traffic analytics. Defaults to true if --workspace is provided.

Accepted values: 0, 1, f, false, n, no, t, true, y, yes

Name or ID of the ManagedIdentity Resource.


Name or ID of the Virtual Network Resource.


Name or ID of a Log Analytics workspace. Must be in the same region of flow log.

Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.

az network watcher flow-log wait

Place the CLI in a waiting state until a condition is met.

az network watcher flow-log wait [--created]

Optional Parameters


Wait until created with 'provisioningState' at 'Succeeded'.

Default value: False

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].


Wait until deleted.

Default value: False

Wait until the resource exists.

Default value: False

One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.


Polling interval in seconds.

Default value: 30
--name -n

The name of the flow logger.


The name of the network watcher.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Maximum wait in seconds.

Default value: 3600

Wait until updated with provisioningState at 'Succeeded'.

Default value: False
Global Parameters

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.


Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json

JMESPath query string. See for more information and examples.


Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.


Increase logging verbosity. Use --debug for full debug logs.