0

We have provisioned the instance of the Azure app gateway (Standard v2 East AU region) and has enabled the diagnostics settings of it to dump all metrics and logs to the log analytics workspace and this seem to be working fine, however we wanted to additional insights of the request and hence have scaled up the tier and enabled the WAF v2 (as shown in the image below).

enter image description here

Now based on this documentation here https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#diagnostic-logging and after waiting for some time, we expected that the firewall logs will be automatically populating in the same log analytics workspace however this does not seem to work and they are simply not populated there.

Note that we can see the "ApplicationGatewayAccessLog" logs and below query is evident of the same AzureDiagnostics | distinct Category that returns only one category i.e. "ApplicationGatewayAccessLog"

Does anyone know if we are missing something or have any input?

Bhushan
  • 580
  • 6
  • 19

1 Answers1

0

Sometimes, the output is not the same when you explore data from Application Gateway ---logs and from your specific Log Analytics workspace---logs. You cam compare these results on your side. See this issue.

In this case, you should have finished some access actions to your Application Gateway and trigger the firewall access log collection before the data can be collected by the Azure monitoring. Though document stated Firewall logs are collected every 60 seconds. Sometimes, the data delays(even more than 2 days) to be logged in the logs and your located region also impacts on the data display time. From this blog, you can see hourly log of firewall actions on the WAF.

For more information, you can use Log Analytics to examine Application Gateway Web Application Firewall Logs.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Apparently there seem be a lot of 'sometimes' cases for this, why cant it generate WAF logs consistently and why are not they accessible in LA workspace logs section? Note that we have already performed a lot of access actions for provisioned application gateway however still the WAF logs were not seen even after waiting for several days. Are there any specific set of access actions that are required to be performed to get those generated? – Bhushan Jun 20 '20 at 14:21
  • As far as I know, you just need to enable the firewall logs in the diagnostic settings, see https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#enable-logging-through-the-azure-portal – Nancy Jun 22 '20 at 01:21