Azure Application Gateway Log Analytics
Published: 2023-11-29
Intro
This is a quick post on how to query Azure Application Gateway logs using Kusto Query Language (KQL). It's not a deep dive into KQL, but rather a quick reference of useful queries for future Brad.
Application Gateway
Search for logs for a specific host.
Kusto Query Language (KQL)
AzureDiagnostics
| where Category == "ApplicationGatewayAccessLog"
| where host_s == "blah.example.com"Web Application Firewall
Query the WAF logs for all hits. Deduplicates the results by hostname, resource, action, ruleId, URI, and message then sort from most to least hits.
Kusto Query Language (KQL)
AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
// Uncomment to search for a specific hostname
// | where AdditionalFields.hostname == "blah.example.com"
| project Hostname=AdditionalFields.hostname, Resource, Action=action_s, URI=requestUri_s, ruleId=AdditionalFields.ruleId, AdditionalFields.ruleId, Message
| summarize AggregatedValue = count() by tostring(Hostname), Resource, Action, tostring(ruleId), URI, Message
| sort by AggregatedValue descOutro
As time goes on, I'll add more queries to this post.
Links
https://learn.microsoft.com/en-us/azure/application-gateway/monitor-application-gateway
https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics
https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics