The Connection Monitor is very useful, but if you have intermittent networking issues, or if you have a large number of connections to keep track of, you'll need to get more detailed information. That's where logs come in. Network Watcher has two kinds of logs. NSG flow logs and Diagnostic Logs. An NSG flow log keeps track of what traffic was allowed through an NSG and what was denied on a per rule basis. In some regions, it also records throughput information. Diagnostic logs track both NSGs and network interfaces, but they don't record as much information about NSG events as flow logs do, so I'm not going to go through the diagnostic logs. When you click on NSG flow logs, it comes back with a list of network security groups. You can filter them by selecting a resource group. To enable logging on an NSG, click on it, and then change the status to On. Next, select a storage account. The retention is how long you want to keep log records. By default, it's set to zero, which actually means keep them forever, so if you want to reduce your storage costs, you can set it to something between one and 365 days. I'll set it to 30. 

You should also turn Traffic Analytics on. This is a really cool feature that I'll show you later. Then you have to select an OMS workspace. If you don't already have one, you can create one here. When you're done, click Save. It takes a while before the logs are available, so I'll show you one that I enabled earlier. Go to Storage Accounts, click on the one where you said you wanted to store it, and then click Blobs. The container is called insights-logs-networksecuritygroupflowevent. The log file is buried in a deep hierarchy of folders, so I'm just going to keep clicking for a while. At this point, there will be a separate folder for every NSG. Now, all of the folders are date or time related. I'll click through them until we get to the most recent one. The final folder is the MAC address of the network interface for the flow. The log is in JSON format. Download the file to have a look at it. First, it lists a rule. In this case, it's the DenyAllInBound rule. Then it lists the flows that went through that rule. For each flow, it shows the time stamp, the source IP, the destination IP, the source port, the destination port, whether it was TCP or UDP, whether it was inbound or outbound, and whether it was allowed or denied. If this were a Version Two flow log, then it would also contain throughput data. This fine-grained data could be really useful if you're trying to track down a difficult security filtering issue. But in most cases, you'd probably rather look at a high-level overview of what's happening with your networks. To find out how, go to the next lesson.