Azure Resource logs: Application Gateway logs
- Marlon Morales
Overview
3 Types of resource logs from Application Gateway
Access log: You can use this log to view Application Gateway access patterns and analyze important information, such as, caller's IP, requested URL, response latency, return code, and bytes in and out.
Firewall log: You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.
Performance log: You can use this log to view how Application Gateway instances are performing.
Â
Azure Application Gateway Access Log: AzureApplicationGatewayAccessLog
You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out.
This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.
Â
Log Structure
Â
Table Fields
Field | Description |
|---|---|
TABLE | AzureApplicationGatewayAccessLog is a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on CLIENTIP if not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
BACKENDPOOLNAME | Based on backendPoolName_s, this field indicates the name of the Backend pool associated with the Application Gateway resource. |
BACKENDSETTINGNAME | Based on backendSettingName_s, this field indicates the name of the Backend setting associated with the Application Gateway resource. |
CATEGORY | Based on Category, this field indicates the log category of the event, ApplicationGatewayAccessLog is the fix value for this log type. |
CLIENTIP | Based on clientIP_s, this field indicates the IP of the immediate client of Application Gateway. |
CLIENTPORT | Based on clientPort_d, this field indicates the originating port for the request. |
HOST | Based on host_s, this field indicates the address listed in the host header of the request. |
HTTPMETHOD | Based on httpMethod_s, this field indicates the HTTP method used by the request. |
HTTPSTATUS | Based on httpStatus_d, this field indicates the HTTP status code returned to the client from Application Gateway. |
HTTPVERSION | Based on httpVersion_s, this field indicates the HTTP version of the request. |
INGESTIONTIME | Based on IngestionTime, this field indicates the datetime value specifying the approximate time of ingestion into an Azure table. |
INSTANCEID | Based on instanceId_s, this field indicates the Application Gateway instance that served the request. |
LISTENERNAME | Based on listenerName_s, this field indicates the name of the Listener associated with the Application Gateway resource. |
LOGID | Based on LogId, this field indicates a unique identifier for the record or log. |
OPERATIONNAME | Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayAccess is the fix value for this log type. |
ORIGINALHOST | Based on originalHost_s, this field indicates the hostname with which the request was received by the Application Gateway from the client. |
REQUESTQUERY | Based on requestQuery_s, this field contains the following information: Server-Routed, X-AzureApplicationGateway-LOG-ID and SERVER-STATUS. |
REQUESTURI | Based on requestUri_s, this field indicates the URI of the received request. |
RESOURCE | Based on Resource, this field indicates the name of the Application Gateway resource. |
RESOURCEGROUP | Based on ResourceGroup, this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs. |
RULENAME | Based on ruleName_s, this field indicates the rule name set and configured on the Application Gateway resource. |
SERVERROUTED | Based on serverRouted_s, this field indicates the backend server that application gateway routes the request to. |
SERVERSTATUS | Based on serverStatus_s, this field indicates the HTTP status code of the backend server. |
SOURCESYSTEM | Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SSLENABLED | Based on sslEnabled_s, this field indicates whether communication to the backend pools used TLS/SSL. |
SUBSCRIPTIONID | Based on SubscriptionId, this field indicates the subscription ID of the impacted resource. |
TIMESTAMP | Based on timeStamp_t, this field indicates the date time when the request was processed by the Application Gateway. |
TENANTID | Based on TenantId, this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TRANSACTIONID | Based on transactionId_g, this field indicates a unique identifier to correlate the request received from the client. |
TYPE | Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
UPSTREAMSOURCEPORT | Based on upstreamSourcePort_s, this field indicates the source port used by Application Gateway when initiating a connection to the backend target. |
USERAGENT | Based on userAgent_s, this field indicates the user agent from the HTTP request header. |
WAFMODE | Based on WAFMode_s, this field indicates the mode of the WAF involved, can be either Detection or Prevention. |
WAFPOLICYID | Based on WAFPolicyID_s, this field indicates the ID of the WAF policy associated with request. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Â
Azure Application Gateway Firewall Log: AzureApplicationGatewayFirewallLog
You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall.
Â
Log Structure
Â
Table Fields
Field | Description |
|---|---|
TABLE | AzureApplicationGatewayFirewallLog is a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on CLIENTIP if not empty; otherwise, it will use the domain value defined in the configuration. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
CATEGORY | Based on Category, this field indicates the log category of the event, ApplicationGatewayFirewallLog is the fix value for this log type. |
ACTION | Based on action_s, this field indicates the action taken on the request. |
CLIENTIP | Based on clientIp_s, this field indicates the originating IP for the request. |
CLIENTPORT | Based on clientPort_d, this field indicates the originating port for the request. |
DETAILSDATA | Based on details_data_s, this field indicates a specific data found in request that matched the rule. |
DETAILSFILE | Based on details_file_s, this field indicates the configuration file that contained the rule. |
ENGINE | Based on clientIp_s, there’s no available documentation for this field. |
HOSTNAME | Based on hostname_s, this field indicates the hostname or IP address of the Application Gateway. |
MESSAGE | Based on Message, this field indicates the description about the rule. |
OPERATIONNAME | Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayFirewall is the fix value for this log type. |
POLICYID | Based on policyId_s, this field indicates the ID of the WAF policy associated with request. |
POLICYSCOPE | Based on policyScope_s, this field indicates the scope of the WAF policy associated with request. |
POLICYSCOPENAME | Based on policyScopeName_s, there’s no available documentation for this field. |
REQUESTURI | Based on requestUri_s, this field indicates the URL of the received request. |
RESOURCE | Based on Resource, this field indicates the name of the Application Gateway resource. |
RESOURCEGROUP | Based on ResourceGroup, this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs. |
RULEID | Based on ruleId_s, this field indicates the ID of the rule associated with the WAF policy for the said request. |
RULEGROUP | Based on ruleGroup_s, this field indicates the ID of the rule group associated with the WAF policy for the said request. |
RULESETTYPE | Based on ruleSetType_s, this field indicates the rule set type. |
RULESETVERSION | Based on ruleSetVersion_s, this field indicates the rule set version used. |
SOURCESYSTEM | Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBSCRIPTIONID | Based on SubscriptionId, this field indicates the subscription ID of the impacted resource. |
TENANTID | Based on TenantId, this field indicates the Log Analytics workspace ID. |
TIMEGENERATED | Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TIMESTAMP | Based on timeStamp_t, this field indicates the date time when the request was processed by the Application Gateway. |
TRANSACTIONID | Based on transactionId_g, this field indicates a unique identifier to correlate the request received from the client. |
TYPE | Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Â
Azure Application Gateway Performance Log: AzureApplicationGatewayPerformanceLog
You can use this log to view how Application Gateway instances are performing.
This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy backend instance count.
Â
Log Structure
Â
Table Fields
Field | Description |
|---|---|
TABLE | AzureApplicationGatewayPerformanceLog is a value derived from Azure + CATEGORY’s value. |
SYSTEM | Will base its value on the configured domain value. |
DATE | Based on the extracted date value from CreatedDateTime. |
TIME | Based on the extracted time value from CreatedDateTime. |
DATETIME | Based on the extracted datetime value from CreatedDateTime and formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
COLLECTIONDATETIME | Snare Central’s local date and time of the log collection from the API, formatted using RFC3339Nano (2023-03-03T01:59:16.756103200Z00:00) format. |
CATEGORY | Based on Category, this field indicates the log category of the event, ApplicationGatewayPerformanceLog is the fix value for this log type. |
FAILEDREQUESTCOUNT | Based on failedRequestCount_d, this field indicates the number of failed requests. |
HEALTHYHOSTCOUNT | Based on healthyHostCount_d, this field indicates the number of healthy hosts in the backend pool. |
INSTANCEID | Based on instanceId_s, this field indicates the Application Gateway instance for which performance data is being generated. |
LATENCY | Based on latency_d, this field indicates the average latency (in milliseconds) of requests from the instance to the back end that serves the requests. |
OPERATIONNAME | Based on OperationName, this field indicates the name of the operation that this event represents, ApplicationGatewayPerformance is the fix value for this log type. |
REQUESTCOUNT | Based on requestCount_d, this field indicates the number of requests served. |
RESOURCE | Based on Resource, this field indicates the name of the Application Gateway resource. |
RESOURCEGROUP | Based on ResourceGroup, this field indicates the resource group name of the impacted resource. |
RESOURCEID | Based on ResourceId, this field indicates a unique identifier for the resource that the record or log is associated with. |
RESOURCEPROVIDER | Based on ResourceProvider, this field indicates the Id of the resource provider for the impacted resource, MICROSOFT.NETWORK is the fix value for this log type. |
RESOURCETYPE | Based on ResourceType, this field indicates the type of the impacted resource, APPLICATIONGATEWAYS is the fix value for all Azure Application Gateway logs. |
SOURCESYSTEM | Based on SourceSystem, this field contains Azure as fix value for all log types under AzureDiagnostics table. |
SUBSCRIPTIONID | Based on SubscriptionId, this field indicates the subscription ID of the impacted resource. |
TENANTID | Based on TenantId, this field indicates the Log Analytics workspace ID. |
THROUGHPUT | Based on throughput_d, this field indicates the average throughput since the last log, measured in bytes per second. |
TIMEGENERATED | Based on TimeGenerated, this field indicates the timestamp when the event was generated by the Azure service processing the request corresponding the event. |
TYPE | Based on Type, this field indicates the name of the table, AzureDiagnostics is the fix value for this log type. |
UNHEALTHYHOSTCOUNT | Based on unHealthyHostCount_d, this field indicates the number of unhealthy hosts in the backend pool. |
WORKSPACEID | A value that was derived from TenantId. |
SNAREDATAMAP | All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP in key=value format and separated by newline. |
Â
Notes
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azurediagnostics