Azure Web Applicaiton Firewall CDN Logs?

Jayson Truong 21 Reputation points
2020-12-22T20:04:59.29+00:00

I have implemented WAF with CDN. The WAF is blocking more than it should.

I was wondering where I can find/enable the logs for it to see what rule is blocking my requests?

I know there is a logs section in AFD where I view this information but I cannot find it in the CDN section.

Any help is appreciated.

Thanks in advance.

Azure Content Delivery Network
Azure Web Application Firewall
Accepted answer
  1. SUNOJ KUMAR YELURU 14,016 Reputation points MVP
    2020-12-23T05:52:37.83+00:00

    @Jayson Truong

    You can view raw data in the firewall log, you can run the following query:
    AzureDiagnostics
    | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"

    Matched/Blocked requests by IP
    AzureDiagnostics
    | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
    | summarize count() by clientIp_s, bin(TimeGenerated, 1m)
    | render timechart

    refer - https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/log-analytics

    ----------

    Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jayson Truong 21 Reputation points
    2020-12-24T04:09:48.643+00:00

    When I put in that query, the query you suggested, I get the following error message.

    'summarize' operator: Failed to resolve scalar expression named 'clientIp_s'

    The query language appears to be a form of SQL but when I put in things like WHERE column = 'value', it always come back with errors.

    Is there anything else I can look at for the CDN-WAF logs?

    Thanks.

    0 comments
  2. SUNOJ KUMAR YELURU 14,016 Reputation points MVP
    2021-01-01T09:00:45.85+00:00

    @Jayson Truong

    I guess still you required help, I tested on my lab check the below screenshot to enable diagnostic logs in WAF and CDN and you can choose where you want to store the logs (Log analytics, storage account, event hub)

    This will resolve your issue.

    WAF Diagnostic Log Screenshots

    52726-waf01.jpg

    52727-waf02.jpg

    CDN Diagnostic Log Screenshots

    52590-cdn01.jpg

    52751-cdn02.jpg

    ----------

    If this answers your query, do click “Accept Answer” and Up-Vote for the same. And, if you have any further query do let us know.

    0 comments
  3. Jayson Truong 21 Reputation points
    2021-01-05T17:55:15.05+00:00

    Thanks for the response.

    I am not able to see your attached screenshots.

    The good news is that I can now view the logs. Maybe it just took a while to populate but we are good now.

    Thanks for your help.