08-05-2019 04:59 AM
08-05-2019 04:59 AM
I have an Application Gateway, with WAF enabled and set to detection mode:
I want to show and query "ApplicationGatewayAccessLog", "ApplicationGatewayPerformanceLog" and "ApplicationGatewayFirewallLog" using the Azure Log Analytics.
Therefor I enabled logging using the following configuration:
I can see that diagnostics is enabled for the Application Gateway:
But If I search with one of the following Queries:
AzureDiagnostics | limit 50 // Should show at least that there is a AzureDiagnostics table AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" // Should show the firewall logs i want to see
I always get the same error message:
'take' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
As if there is no data available.
Am I missing a configuration detail?
Do I need to search using another query?
Im thankful for any pointer in the right direction.
08-05-2019 06:08 AM - edited 08-05-2019 06:10 AM
How long did you wait between between enabling and running the query (your queries look good, some other examples here: https://blogs.technet.microsoft.com/robdavies/2017/12/29/monitoring-application-gateway-with-azure-l... )? Is this an active WAF with data that will generate log entries?
This will show what (if any) categories you have
AzureDiagnostics | summarize by Category
You should also see AzureDiagnostics in the schema, if you don't no data has been sent (or was blocked)
You can test queries (in the meantime) in the demo portal: Go to Log Analytics and Run Query
08-05-2019 07:00 AM
Thank you for your response.
Yes, the WAF is active and Logging is enabled since 3-4 hours now.
I can see AzureDiagnostics in the schema, but every query to this table throws an error as if it does not exist.
You can see everything here, where I tried the category query you suggested:
08-05-2019 08:09 AM
If you have full access to that schema Table (can someone else try)? Can you see other tables and query them under LogManagement - like Alert or AzureActivity? Is table level RBAC set (however if it was that I would expect a different message)?
You might need to "copy request id to clipboard" and raise a support ticket - unless anyone else has an idea?
08-06-2019 03:58 AM
I opened a support ticket and with their help I was able to solve the problem.
I had to go to the Log Analytics Workspace, to which I configured the application gateway to send its log too. There I could query for the logs and all tables were in place.
What I did before was going to: "Application Gateway Resource -> Monitoring -> log"
The log there is empty and missing tables and is not connected to the Log Analytics Workspace I created on the gateway resource.
This is a kind of confusing UI design, but now I know how to access/query the log.
Thanks again for your input.
08-11-2019 05:45 AM