Need logs query for application gateway

Mayank Jain 260 Reputation points
2023-05-29T11:58:55.83+00:00

I need application gateway logs query for block path, unblock path, malicious activity with IP address.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,001 questions
Azure FastTrack
Azure FastTrack
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.FastTrack: This tag is no longer in use. Please use 'Azure Startups' instead.
75 questions
Accepted answer
  1. GitaraniSharma-MSFT 49,256 Reputation points Microsoft Employee
    2023-05-29T12:33:29.5833333+00:00

    Hello @Mayank Jain ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you need log query for application gateway to find the blocked requests and any malicious activity with IP address.

    Azure Web Application Firewall (WAF) on Azure Application Gateway provides centralized protection of your web applications from common exploits and vulnerabilities.

    Application Gateway has two versions of the WAF SKU:

    • Application Gateway WAF_v1
    • Application Gateway WAF_v2

    If you have configured WAF (Web Application Firewall) on your Application gateway, and have enabled Firewall log on it, you should be able to see the generated logs and examine them using Azure Monitor and Azure Monitor log analytics.

    Make sure your Application gateway SKU is of a WAF (Web Application Firewall) SKU.

    Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/ag-overview

    https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-web-application-firewall-portal

    And then check Diagnostic settings are enabled for the Application gateway and Firewall log is selected.

    Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#enable-logging-through-the-azure-portal

    You can then monitor the WAF logs via metrics and log analytics following the below docs:

    https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics

    https://video2.skills-academy.com/en-us/azure/application-gateway/log-analytics

    Matched/Blocked requests by IP:

    AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| summarize count() by clientIp_s, bin(TimeGenerated, 1m)
| render timechart

    Matched/Blocked requests by URI:

    AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| summarize count() by requestUri_s, bin(TimeGenerated, 1m)
| render timechart

    For your WAF to block or log requests from known malicious IP addresses, you need to enable a managed bot protection rule set. You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU only.

    enter image description here

    Refer: https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/bot-protection-overview

    https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-metrics#application-gateway-waf-v2-metrics

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest