Forum Discussion
Application Gateway Logs not shown in Azure Log Analytics
Hello,
I have an Application Gateway, with WAF enabled and set to detection mode:
I want to show and query "ApplicationGatewayAccessLog", "ApplicationGatewayPerformanceLog" and "ApplicationGatewayFirewallLog" using the Azure Log Analytics.
Therefor I enabled logging using the following configuration:
I can see that diagnostics is enabled for the Application Gateway:
But If I search with one of the following Queries:
AzureDiagnostics | limit 50 // Should show at least that there is a AzureDiagnostics table
AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" // Should show the firewall logs i want to see
I always get the same error message:
'take' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
As if there is no data available.
Am I missing a configuration detail?
Do I need to search using another query?
Im thankful for any pointer in the right direction.
15 Replies
How long did you wait between between enabling and running the query (your queries look good, some other examples here: https://blogs.technet.microsoft.com/robdavies/2017/12/29/monitoring-application-gateway-with-azure-log-analytics/ )? Is this an active WAF with data that will generate log entries?
This will show what (if any) categories you have
AzureDiagnostics | summarize by CategoryYou should also see AzureDiagnostics in the schema, if you don't no data has been sent (or was blocked)
You can test queries (in the meantime) in the demo portal: Go to Log Analytics and Run Query
Thank you for your response.
Yes, the WAF is active and Logging is enabled since 3-4 hours now.
I can see AzureDiagnostics in the schema, but every query to this table throws an error as if it does not exist.
You can see everything here, where I tried the category query you suggested:
If you have full access to that schema Table (can someone else try)? Can you see other tables and query them under LogManagement - like Alert or AzureActivity? Is table level RBAC set (however if it was that I would expect a different message)?
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access
You might need to "copy request id to clipboard" and raise a support ticket - unless anyone else has an idea?
