Azure Application Gateway Log Analytics

Intro

This is a quick post on how to query Azure Application Gateway logs using Kusto Query Language (KQL). It's not a deep dive into KQL, but rather a quick reference of useful queries for future Brad.

Application Gateway

Search for logs for a specific host.

kusto

AzureDiagnostics
  | where Category == "ApplicationGatewayAccessLog"
  | where host_s == "blah.example.com"

Web Application Firewall

Query the WAF logs for all hits. Deduplicates the results by hostname, resource, action, ruleId, URI, and message then sort from most to least hits.

kusto

AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
  // Uncomment to search for a specific hostname
  // | where AdditionalFields.hostname == "blah.example.com"
  | project Hostname=AdditionalFields.hostname, Resource, Action=action_s, URI=requestUri_s, ruleId=AdditionalFields.ruleId, AdditionalFields.ruleId, Message
  | summarize AggregatedValue = count() by tostring(Hostname), Resource, Action, tostring(ruleId), URI, Message
  | sort by AggregatedValue desc

Outro

As time goes on, I'll add more queries to this post.

Links

https://learn.microsoft.com/en-us/azure/application-gateway/monitor-application-gateway

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics

On This Page