Azure Resource logs: Application Gateway logs

Overview

3 Types of resource logs from Application Gateway

  • Access log: You can use this log to view Application Gateway access patterns and analyze important information, such as, caller's IP, requested URL, response latency, return code, and bytes in and out.

  • Firewall log: You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.

  • Performance log: You can use this log to view how Application Gateway instances are performing.

 

Azure Application Gateway Access Log: AzureApplicationGatewayAccessLog

You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out.

This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "connectionSerialNumber_d",
"type": "real"
},
{
"name": "noOfConnectionRequests_d",
"type": "real"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"89535190-33d4-40ee-90a1-4af37d5cf2d7",
"2023-09-14T08:02:36Z",
"/SUBSCRIPTIONS/E0DE53D1-C8BC-4ED4-90CC-9362C6FEF41C/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/APPGW-1",
"ApplicationGatewayAccessLog",
"TEST",
"e0de53d1-c8bc-4ed4-90cc-9362c6fef41c",
"MICROSOFT.NETWORK",
"APPGW-1",
"APPLICATIONGATEWAYS",
"ApplicationGatewayAccess",
"",
"",
"",
"",
"",
"",
"",
"",
"/.env",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36",
"appgw-routing-rule-1",
"",
"",
null,
"",
"GET",
"",
"",
"appgw_0",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"HTTP/1.1",
null,
null,
null,
"",
"1.2.3.4",
"192.1.1.1:80",
"",
"",
45306,
404,
231,
460,
0.006,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
"2023-09-14T08:02:36Z",
"appgw-listener-1",
"appgw-backend-pool-1",
"appgw-backend-setting-1",
"/.env",
0,
"51bbbac9-6e92-4937-a689-9fff8789ac9f",
"",
"",
"",
"",
"",
"5.6.7.8:80",
"404",
"0.004",
"37856",
"192.1.1.1:80",
null,
"0.004",
"Prevention",
"/subscriptions/e0de53d1-c8bc-4ed4-90cc-9362c6fef41c/resourceGroups/test/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/Waf-rule-1",
871313,
1,
"AzureDiagnostics",
"2ec3a84e-ee71-4eef-a6cc-f7a8afa4028d",
"/subscriptions/e0de53d1-c8bc-4ed4-90cc-9362c6fef41c/resourcegroups/test/providers/microsoft.network/applicationgateways/appgw-1",
"2023-09-14T08:03:03.1091014Z",
"2ec3a84e-ee71-4eef-a6cc-f7a8afa4028d"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureApplicationGatewayAccessLog is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on CLIENTIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

BACKENDPOOLNAME

Based on backendPoolName_s, this field indicates the name of the Backend pool associated with the Application Gateway resource.

BACKENDSETTINGNAME

Based on backendSettingName_s, this field indicates the name of the Backend setting associated with the Application Gateway resource.

CATEGORY

Based on Category, this field indicates the log category of the event, ApplicationGatewayAccessLog is the fix value for this log type.

CLIENTIP

Based on clientIP_s, this field indicates the IP of the immediate client of Application Gateway.

CLIENTPORT

Based on clientPort_d, this field indicates the originating port for the request.

HOST

Based on host_s, this field indicates the address listed in the host header of the request.

HTTPMETHOD

Based on httpMethod_s, this field indicates the HTTP method used by the request.

HTTPSTATUS

Based on httpStatus_d, this field indicates the HTTP status code returned to the client from Application Gateway.

HTTPVERSION

Based on httpVersion_s, this field indicates the HTTP version of the request.

INGESTIONTIME

Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table.

INSTANCEID

Based on instanceId_s, this field indicates the Application Gateway instance that served the request.

LISTENERNAME

Based on listenerName_s, this field indicates the name of the Listener associated with the Application Gateway resource.

LOGID

Based on LogId, this field indicates a unique identifier for the record or log.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayAccess is the fix value for this log type.

ORIGINALHOST

Based on originalHost_s, this field indicates the hostname with which the request was received by the Application Gateway from the client.

REQUESTQUERY

Based on requestQuery_s, this field contains the following information: Server-Routed, X-AzureApplicationGateway-LOG-ID and SERVER-STATUS.

REQUESTURI

Based on requestUri_s, this field indicates the URI of the received request.

RESOURCE

Based on Resource, this field indicates the name of the Application Gateway resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs.

RULENAME

Based on ruleName_s, this field indicates the rule name set and configured on the Application Gateway resource.

SERVERROUTED

Based on serverRouted_s, this field indicates the backend server that application gateway routes the request to.

SERVERSTATUS

Based on serverStatus_s, this field indicates the HTTP status code of the backend server.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SSLENABLED

Based on sslEnabled_s, this field indicates whether communication to the backend pools used TLS/SSL.
Valid values are on and off.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TIMESTAMP

Based on timeStamp_t, this field indicates the date time when the request was processed by the Application Gateway.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TRANSACTIONID

Based on transactionId_g, this field indicates a unique identifier to correlate the request received from the client.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

UPSTREAMSOURCEPORT

Based on upstreamSourcePort_s, this field indicates the source port used by Application Gateway when initiating a connection to the backend target.

USERAGENT

Based on userAgent_s, this field indicates the user agent from the HTTP request header.

WAFMODE

Based on WAFMode_s, this field indicates the mode of the WAF involved, can be either Detection or Prevention.

WAFPOLICYID

Based on WAFPolicyID_s, this field indicates the ID of the WAF policy associated with request.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Azure Application Gateway Firewall Log: AzureApplicationGatewayFirewallLog

You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "clientIp_s",
"type": "string"
},
{
"name": "ruleSetType_s",
"type": "string"
},
{
"name": "ruleSetVersion_s",
"type": "string"
},
{
"name": "ruleId_s",
"type": "string"
},
{
"name": "ruleGroup_s",
"type": "string"
},
{
"name": "action_s",
"type": "string"
},
{
"name": "details_message_s",
"type": "string"
},
{
"name": "details_data_s",
"type": "string"
},
{
"name": "details_file_s",
"type": "string"
},
{
"name": "details_line_s",
"type": "string"
},
{
"name": "hostname_s",
"type": "string"
},
{
"name": "policyId_s",
"type": "string"
},
{
"name": "policyScope_s",
"type": "string"
},
{
"name": "policyScopeName_s",
"type": "string"
},
{
"name": "engine_s",
"type": "string"
},
{
"name": "WAFEvaluationTime_s",
"type": "string"
},
{
"name": "WAFMode_s",
"type": "string"
},
{
"name": "WAFPolicyID_s",
"type": "string"
},
{
"name": "Action_s",
"type": "string"
},
{
"name": "ActionReason_s",
"type": "string"
},
{
"name": "msg_s",
"type": "string"
},
{
"name": "Protocol_s",
"type": "string"
},
{
"name": "SourceIP",
"type": "string"
},
{
"name": "SourcePort_d",
"type": "real"
},
{
"name": "DestinationIp_s",
"type": "string"
},
{
"name": "DestinationPort_d",
"type": "real"
},
{
"name": "TranslatedIp_s",
"type": "string"
},
{
"name": "TranslatedPort_d",
"type": "real"
},
{
"name": "Policy_s",
"type": "string"
},
{
"name": "RuleCollectionGroup_s",
"type": "string"
},
{
"name": "RuleCollection_s",
"type": "string"
},
{
"name": "Rule_s",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"a76a6cb8-4dce-4bea-97b6-c06d260c2cb5",
"2023-09-15T05:23:57.2156145Z",
"/SUBSCRIPTIONS/52E818A3-1BF2-4A1D-8D2F-8632474E0DE1/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/APPGW-1",
"ApplicationGatewayFirewallLog",
"TEST",
"52e818a3-1bf2-4a1d-8d2f-8632474e0de1",
"MICROSOFT.NETWORK",
"APPGW-1",
"APPLICATIONGATEWAYS",
"ApplicationGatewayFirewall",
"",
"",
"",
"",
"",
"",
"",
"",
"/",
"",
null,
"",
"",
"",
"",
"",
"",
"Host header is a numeric IP address",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"appgw_0",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
80,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
"192.1.1.1",
"OWASP CRS",
"3.2",
"920350",
"REQUEST-920-PROTOCOL-ENFORCEMENT",
"Matched",
"Pattern match ^[\\d.:]+$ at REQUEST_HEADERS:host.",
"{1.2.3.4 found within [REQUEST_HEADERS:Host:1.2.3.4]}",
"REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"666",
"1.2.3.4:8080",
"3#_subscriptions_52e818a3-1bf2-4a1d-8d2f-8632474e0de1_resourceGroups_test_providers_Microsoft.Network_ApplicationGatewayWebApplicationFirewallPolicies_Waf-rule-1",
"Global",
"Global",
"Azwaf",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
null,
"",
null,
"",
"",
"",
"",
null,
null,
null,
null,
null,
null,
"2023-09-15T05:23:31Z",
"",
"",
"",
"",
null,
"6c9b8afa-7323-4af2-b776-b909fd9baca6",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"2f353209-f40a-42e3-9954-0ed27d38cffa",
"/subscriptions/52e818a3-1bf2-4a1d-8d2f-8632474e0de1/resourcegroups/test/providers/microsoft.network/applicationgateways/appgw-1",
"2023-09-15T05:23:57.9285Z",
"2f353209-f40a-42e3-9954-0ed27d38cffa"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureApplicationGatewayFirewallLog is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on CLIENTIP if not empty; otherwise, it will use the domain value defined in the configuration.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, ApplicationGatewayFirewallLog is the fix value for this log type.

ACTION

Based on action_s, this field indicates the action taken on the request.

CLIENTIP

Based on clientIp_s, this field indicates the originating IP for the request.

CLIENTPORT

Based on clientPort_d, this field indicates the originating port for the request.

DETAILSDATA

Based on details_data_s, this field indicates a specific data found in request that matched the rule.

DETAILSFILE

Based on details_file_s, this field indicates the configuration file that contained the rule.

ENGINE

Based on clientIp_s, there’s no available documentation for this field.

HOSTNAME

Based on hostname_s, this field indicates the hostname or IP address of the Application Gateway.

MESSAGE

Based on Message, this field indicates the description about the rule.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayFirewall is the fix value for this log type.

POLICYID

Based on policyId_s, this field indicates the ID of the WAF policy associated with request.

POLICYSCOPE

Based on policyScope_s, this field indicates the scope of the WAF policy associated with request.

POLICYSCOPENAME

Based on policyScopeName_s, there’s no available documentation for this field.

REQUESTURI

Based on requestUri_s, this field indicates the URL of the received request.

RESOURCE

Based on Resource, this field indicates the name of the Application Gateway resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs.

RULEID

Based on ruleId_s, this field indicates the ID of the rule associated with the WAF policy for the said request.

RULEGROUP

Based on ruleGroup_s, this field indicates the ID of the rule group associated with the WAF policy for the said request.

RULESETTYPE

Based on ruleSetType_s, this field indicates the rule set type.

RULESETVERSION

Based on ruleSetVersion_s, this field indicates the rule set version used.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TIMESTAMP

Based on timeStamp_t, this field indicates the date time when the request was processed by the Application Gateway.

TRANSACTIONID

Based on transactionId_g, this field indicates a unique identifier to correlate the request received from the client.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Azure Application Gateway Performance Log: AzureApplicationGatewayPerformanceLog

You can use this log to view how Application Gateway instances are performing.

This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count.

 

Log Structure

{
"tables": [
{
"name": "PrimaryResult",
"columns": [
{
"name": "TenantId",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "ResourceId",
"type": "string"
},
{
"name": "Category",
"type": "string"
},
{
"name": "ResourceGroup",
"type": "string"
},
{
"name": "SubscriptionId",
"type": "string"
},
{
"name": "ResourceProvider",
"type": "string"
},
{
"name": "Resource",
"type": "string"
},
{
"name": "ResourceType",
"type": "string"
},
{
"name": "OperationName",
"type": "string"
},
{
"name": "ResultType",
"type": "string"
},
{
"name": "CorrelationId",
"type": "string"
},
{
"name": "ResultDescription",
"type": "string"
},
{
"name": "Tenant_g",
"type": "string"
},
{
"name": "JobId_g",
"type": "string"
},
{
"name": "RunbookName_s",
"type": "string"
},
{
"name": "StreamType_s",
"type": "string"
},
{
"name": "Caller_s",
"type": "string"
},
{
"name": "requestUri_s",
"type": "string"
},
{
"name": "Level",
"type": "string"
},
{
"name": "DurationMs",
"type": "long"
},
{
"name": "CallerIPAddress",
"type": "string"
},
{
"name": "OperationVersion",
"type": "string"
},
{
"name": "ResultSignature",
"type": "string"
},
{
"name": "id_s",
"type": "string"
},
{
"name": "status_s",
"type": "string"
},
{
"name": "LogicalServerName_s",
"type": "string"
},
{
"name": "Message",
"type": "string"
},
{
"name": "clientInfo_s",
"type": "string"
},
{
"name": "httpStatusCode_d",
"type": "real"
},
{
"name": "identity_claim_appid_g",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g",
"type": "string"
},
{
"name": "userAgent_s",
"type": "string"
},
{
"name": "ruleName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s",
"type": "string"
},
{
"name": "systemId_g",
"type": "string"
},
{
"name": "isAccessPolicyMatch_b",
"type": "bool"
},
{
"name": "EventName_s",
"type": "string"
},
{
"name": "httpMethod_s",
"type": "string"
},
{
"name": "subnetId_s",
"type": "string"
},
{
"name": "type_s",
"type": "string"
},
{
"name": "instanceId_s",
"type": "string"
},
{
"name": "macAddress_s",
"type": "string"
},
{
"name": "vnetResourceGuid_g",
"type": "string"
},
{
"name": "direction_s",
"type": "string"
},
{
"name": "subnetPrefix_s",
"type": "string"
},
{
"name": "primaryIPv4Address_s",
"type": "string"
},
{
"name": "conditions_sourcePortRange_s",
"type": "string"
},
{
"name": "priority_d",
"type": "real"
},
{
"name": "conditions_destinationPortRange_s",
"type": "string"
},
{
"name": "conditions_destinationIP_s",
"type": "string"
},
{
"name": "conditions_None_s",
"type": "string"
},
{
"name": "conditions_sourceIP_s",
"type": "string"
},
{
"name": "httpVersion_s",
"type": "string"
},
{
"name": "matchedConnections_d",
"type": "real"
},
{
"name": "startTime_t",
"type": "datetime"
},
{
"name": "endTime_t",
"type": "datetime"
},
{
"name": "DatabaseName_s",
"type": "string"
},
{
"name": "clientIP_s",
"type": "string"
},
{
"name": "host_s",
"type": "string"
},
{
"name": "requestQuery_s",
"type": "string"
},
{
"name": "sslEnabled_s",
"type": "string"
},
{
"name": "clientPort_d",
"type": "real"
},
{
"name": "httpStatus_d",
"type": "real"
},
{
"name": "receivedBytes_d",
"type": "real"
},
{
"name": "sentBytes_d",
"type": "real"
},
{
"name": "timeTaken_d",
"type": "real"
},
{
"name": "resultDescription_ErrorJobs_s",
"type": "string"
},
{
"name": "resultDescription_ChildJobs_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_identity_claims_scope_s",
"type": "string"
},
{
"name": "workflowId_s",
"type": "string"
},
{
"name": "resource_location_s",
"type": "string"
},
{
"name": "resource_workflowId_g",
"type": "string"
},
{
"name": "resource_resourceGroupName_s",
"type": "string"
},
{
"name": "resource_subscriptionId_g",
"type": "string"
},
{
"name": "resource_runId_s",
"type": "string"
},
{
"name": "resource_workflowName_s",
"type": "string"
},
{
"name": "_schema_s",
"type": "string"
},
{
"name": "correlation_clientTrackingId_s",
"type": "string"
},
{
"name": "properties_sku_Family_s",
"type": "string"
},
{
"name": "properties_sku_Name_s",
"type": "string"
},
{
"name": "properties_tenantId_g",
"type": "string"
},
{
"name": "properties_enabledForDeployment_b",
"type": "bool"
},
{
"name": "code_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineId_s",
"type": "string"
},
{
"name": "resultDescription_Summary_ScheduleName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_Status_s",
"type": "string"
},
{
"name": "resultDescription_Summary_StatusDescription_s",
"type": "string"
},
{
"name": "resultDescription_Summary_MachineName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_TotalUpdatesInstalled_d",
"type": "real"
},
{
"name": "resultDescription_Summary_RebootRequired_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_TotalUpdatesFailed_d",
"type": "real"
},
{
"name": "resultDescription_Summary_InstallPercentage_d",
"type": "real"
},
{
"name": "resultDescription_Summary_StartDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resource_triggerName_s",
"type": "string"
},
{
"name": "resultDescription_Summary_InitialRequiredUpdatesCount_d",
"type": "real"
},
{
"name": "properties_enabledForTemplateDeployment_b",
"type": "bool"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_s",
"type": "string"
},
{
"name": "resultDescription_Summary_DurationInMinutes_s",
"type": "string"
},
{
"name": "resource_originRunId_s",
"type": "string"
},
{
"name": "properties_enabledForDiskEncryption_b",
"type": "bool"
},
{
"name": "resource_actionName_s",
"type": "string"
},
{
"name": "correlation_actionTrackingId_g",
"type": "string"
},
{
"name": "resultDescription_Summary_EndDateTimeUtc_t",
"type": "datetime"
},
{
"name": "resultDescription_Summary_DurationInMinutes_d",
"type": "real"
},
{
"name": "conditions_protocols_s",
"type": "string"
},
{
"name": "identity_claim_ipaddr_s",
"type": "string"
},
{
"name": "ElasticPoolName_s",
"type": "string"
},
{
"name": "identity_claim_http_schemas_microsoft_com_claims_authnmethodsreferences_s",
"type": "string"
},
{
"name": "RunOn_s",
"type": "string"
},
{
"name": "query_hash_s",
"type": "string"
},
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "MG",
"type": "string"
},
{
"name": "ManagementGroupName",
"type": "string"
},
{
"name": "Computer",
"type": "string"
},
{
"name": "RawData",
"type": "string"
},
{
"name": "healthyHostCount_d",
"type": "real"
},
{
"name": "unHealthyHostCount_d",
"type": "real"
},
{
"name": "requestCount_d",
"type": "real"
},
{
"name": "latency_d",
"type": "real"
},
{
"name": "failedRequestCount_d",
"type": "real"
},
{
"name": "throughput_d",
"type": "real"
},
{
"name": "timeStamp_t",
"type": "datetime"
},
{
"name": "listenerName_s",
"type": "string"
},
{
"name": "backendPoolName_s",
"type": "string"
},
{
"name": "backendSettingName_s",
"type": "string"
},
{
"name": "originalRequestUriWithArgs_s",
"type": "string"
},
{
"name": "clientResponseTime_d",
"type": "real"
},
{
"name": "transactionId_g",
"type": "string"
},
{
"name": "sslCipher_s",
"type": "string"
},
{
"name": "sslProtocol_s",
"type": "string"
},
{
"name": "sslClientVerify_s",
"type": "string"
},
{
"name": "sslClientCertificateFingerprint_s",
"type": "string"
},
{
"name": "sslClientCertificateIssuerName_s",
"type": "string"
},
{
"name": "serverRouted_s",
"type": "string"
},
{
"name": "serverStatus_s",
"type": "string"
},
{
"name": "serverResponseLatency_s",
"type": "string"
},
{
"name": "upstreamSourcePort_s",
"type": "string"
},
{
"name": "originalHost_s",
"type": "string"
},
{
"name": "AdditionalFields",
"type": "dynamic"
},
{
"name": "Type",
"type": "string"
},
{
"name": "_ItemId",
"type": "string"
},
{
"name": "_ResourceId",
"type": "string"
},
{
"name": "IngestionTime",
"type": "datetime"
},
{
"name": "LogId",
"type": "string"
}
],
"rows": [
[
"64edd2cc-4514-4294-b4b1-9688a4a051b7",
"2023-09-14T08:00:00Z",
"/SUBSCRIPTIONS/52E818A3-1BF2-4A1D-8D2F-8632474E0DE1/RESOURCEGROUPS/TEST/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/APPGW-1",
"ApplicationGatewayPerformanceLog",
"TEST",
"52e818a3-1bf2-4a1d-8d2f-8632474e0de1",
"MICROSOFT.NETWORK",
"APPGW-1",
"APPLICATIONGATEWAYS",
"ApplicationGatewayPerformance",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"ApplicationGatewayRole_IN_1",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
null,
null,
null,
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
null,
null,
null,
null,
null,
"",
null,
null,
"",
"",
"",
null,
"",
"",
null,
null,
"",
"",
"",
"",
"",
"",
"Azure",
"",
"",
"",
"",
15,
33,
10010,
60,
44,
101,
null,
"",
"",
"",
"",
null,
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
"",
null,
"AzureDiagnostics",
"708def1d-655d-42ee-bb93-a82ff1584a98",
"/subscriptions/52e818a3-1bf2-4a1d-8d2f-8632474e0de1/resourcegroups/test/providers/microsoft.network/applicationgateways/appwgw-1",
"2023-09-14T08:01:41.9437839Z",
"708def1d-655d-42ee-bb93-a82ff1584a98"
]
]
}
]
}

 

Table Fields

Field

Description

Field

Description

TABLE

AzureApplicationGatewayPerformanceLog is a value derived from Azure + CATEGORY’s value.

SYSTEM

Will base its value on the configured domain value.

DATE

Based on the extracted date value from CreatedDateTime.

TIME

Based on the extracted time value from CreatedDateTime.

DATETIME

Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

COLLECTIONDATETIME

Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format.

CATEGORY

Based on Category, this field indicates the log category of the event, ApplicationGatewayPerformanceLog is the fix value for this log type.

FAILEDREQUESTCOUNT

Based on failedRequestCount_d, this field indicates the number of failed requests.

HEALTHYHOSTCOUNT

Based on healthyHostCount_d, this field indicates the number of healthy hosts in the backend pool.

INSTANCEID

Based on instanceId_s, this field indicates the Application Gateway instance for which performance data is being generated.

LATENCY

Based on latency_d, this field indicates the average latency (in milliseconds) of requests from the instance to the back end that serves the requests.

OPERATIONNAME

Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayPerformance is the fix value for this log type.

REQUESTCOUNT

Based on requestCount_d, this field indicates the number of requests served.

RESOURCE

Based on Resource, this field indicates the name of the Application Gateway resource.

RESOURCEGROUP

Based on ResourceGroup, this field indicates the resource group name of the impacted resource.

RESOURCEID

Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with.

RESOURCEPROVIDER

Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type.

RESOURCETYPE

Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs.

SOURCESYSTEM

Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table.

SUBSCRIPTIONID

Based on SubscriptionId, this field indicates the subscription ID of the impacted resource.

TENANTID

Based on TenantId, this field indicates the Log Analytics workspace ID.

THROUGHPUT

Based on throughput_d, this field indicates the average throughput since the last log, measured in bytes per second.

TIMEGENERATED

Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event.

TYPE

Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type.

UNHEALTHYHOSTCOUNT

Based on unHealthyHostCount_d, this field indicates the number of unhealthy hosts in the backend pool.

WORKSPACEID

A value that was derived from TenantId.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline.

 

Notes

Diagnostic logs - Azure Application Gateway

Azure Monitor Logs reference - AzureDiagnostics - Azure Monitor