Aug 05 2019
04:59 AM
- last edited on
Apr 07 2022
06:01 PM
by
TechCommunityAP
Aug 05 2019
04:59 AM
- last edited on
Apr 07 2022
06:01 PM
by
TechCommunityAP
Hello,
I have an Application Gateway, with WAF enabled and set to detection mode:
I want to show and query "ApplicationGatewayAccessLog", "ApplicationGatewayPerformanceLog" and "ApplicationGatewayFirewallLog" using the Azure Log Analytics.
Therefor I enabled logging using the following configuration:
I can see that diagnostics is enabled for the Application Gateway:
But If I search with one of the following Queries:
AzureDiagnostics | limit 50 // Should show at least that there is a AzureDiagnostics table
AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" // Should show the firewall logs i want to see
I always get the same error message:
'take' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
As if there is no data available.
Am I missing a configuration detail?
Do I need to search using another query?
Im thankful for any pointer in the right direction.
Aug 05 2019 06:08 AM - edited Aug 05 2019 06:10 AM
How long did you wait between between enabling and running the query (your queries look good, some other examples here: https://blogs.technet.microsoft.com/robdavies/2017/12/29/monitoring-application-gateway-with-azure-l... )? Is this an active WAF with data that will generate log entries?
This will show what (if any) categories you have
AzureDiagnostics
| summarize by Category
You should also see AzureDiagnostics in the schema, if you don't no data has been sent (or was blocked)
You can test queries (in the meantime) in the demo portal: Go to Log Analytics and Run Query
Aug 05 2019 07:00 AM
Thank you for your response.
Yes, the WAF is active and Logging is enabled since 3-4 hours now.
I can see AzureDiagnostics in the schema, but every query to this table throws an error as if it does not exist.
You can see everything here, where I tried the category query you suggested:
Aug 05 2019 08:09 AM
If you have full access to that schema Table (can someone else try)? Can you see other tables and query them under LogManagement - like Alert or AzureActivity? Is table level RBAC set (however if it was that I would expect a different message)?
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access
You might need to "copy request id to clipboard" and raise a support ticket - unless anyone else has an idea?
Aug 06 2019 03:58 AM
I opened a support ticket and with their help I was able to solve the problem.
I had to go to the Log Analytics Workspace, to which I configured the application gateway to send its log too. There I could query for the logs and all tables were in place.
What I did before was going to: "Application Gateway Resource -> Monitoring -> log"
The log there is empty and missing tables and is not connected to the Log Analytics Workspace I created on the gateway resource.
This is a kind of confusing UI design, but now I know how to access/query the log.
Thanks again for your input.
Aug 11 2019 05:45 AM
Dec 12 2019 09:10 AM
@Meir MendelovichFor the record, I have the exact same issue
Dec 15 2019 07:49 AM
Dec 16 2019 06:42 AM
@Meir MendelovichI have various VMs which are reporting logs to a Log Analytics Workspace, but when I go to the 'logs' link under the VM, it does not send me to that LAW. When I attempt to query against the logs from that location, I get the same error described above. I can go directly to the assigned LAW, and query against the logs normally.
Dec 23 2019 03:58 AM
From your description it seems that workspace-context access works and resource-context access doesn't. You can see all details on both here: https://aka.ms/logsaccess
The first thing that comes into my mind is the resource access mode. See here and make sure that it is "both".
If still not working, please approach me directly: meirm@microsoft.com and I would love to get you up and running.
Meir :>
Jan 06 2020 12:16 PM
@Meir MendelovichThanks very much! This does indeed appear to be the problem I'm seeing. It was complicated by the fact that some of my workspaces have this set one way, and others have it set differently. Can you answer a couple of quick followup questions for me?
Thanks again!
John
Jan 06 2020 01:58 PM
Jan 07 2020 05:18 AM
@Meir MendelovichSorry; I hate looking like a complete noob, but I don't see anyplace in the page for the virtual machine where either Heartbeat or Tenant shows up... Is it supposed to be in the Security tab? I can't load that right now because of some problem with the tenant (I think). The message I'm getting currently reads:
columnNumber: 55 fileName: <a href="https://portal.azure.com/Content/Dynamic/lN9nxus-UgR8.js" target="_blank">https://portal.azure.com/Content/Dynamic/lN9nxus-UgR8.js</a> line 54 > Function lineNumber: 3 message: Unable to process binding "if: function(){return showAgentCampaignBar() }" Message: showAgentCampaignBar is not defined
Thanks
John
Jan 07 2020 06:31 AM
Jan 07 2020 09:06 AM
@Meir MendelovichAh! OK. Thanks very much again.
Jan 07 2020 10:13 AM