Application Gateway Logs not shown in Azure Log Analytics

Copper Contributor

Hello,

 

I have an Application Gateway, with WAF enabled and set to detection mode:

WAF_Settings.PNG

I want to show and query "ApplicationGatewayAccessLog", "ApplicationGatewayPerformanceLog" and "ApplicationGatewayFirewallLog" using the Azure Log Analytics.

Therefor I enabled logging using the following configuration:

 

Diagnostics_Settings.PNG

I can see that diagnostics is enabled for the Application Gateway:

 

diagnostics_enabled.PNG

 

But If I search with one of the following Queries:

 

 

 

AzureDiagnostics | limit 50   // Should show at least that there is a AzureDiagnostics table

AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" // Should show the firewall logs i want to see

 

 

I always get the same error message:

 

'take' operator: Failed to resolve table or column expression named 'AzureDiagnostics'

 

As if there is no data available.

 

Am I missing a configuration detail?

Do I need to search using another query?

 

Im thankful for any pointer in the right direction.

15 Replies

@TardigradeX 

 

How long did you wait between between enabling and running the query (your queries look good, some other examples here:  https://blogs.technet.microsoft.com/robdavies/2017/12/29/monitoring-application-gateway-with-azure-l...  )?  Is this an active WAF with data that will generate log entries?

 

This will show what (if any) categories you have

 

AzureDiagnostics
| summarize by Category

 

You should also see AzureDiagnostics in the schema, if you don't no data has been sent (or was blocked)

Annotation 2019-08-05 140654.jpg

 

You can test queries (in the meantime) in the demo portal: Go to Log Analytics and Run Query 

@CliveWatson 

 

Thank you for your response.

 

Yes, the WAF is active and Logging is enabled since 3-4 hours now.

I can see AzureDiagnostics in the schema, but every query to this table throws an error as if it does not exist.

You can see everything here, where I tried the category query you suggested:

Unbenannt.PNG

@TardigradeX 

 

If you have full access to that schema Table (can someone else try)?  Can you see other tables and query them under LogManagement  - like Alert or AzureActivity?  Is table level RBAC set (however if it was that I would expect a different message)?

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access

 

You might need to "copy request id to clipboard" and raise a support ticket - unless anyone else has an idea?

@CliveWatson

 

I opened a support ticket and with their help I was able to solve the problem.

 

I had to go to the Log Analytics Workspace, to which I configured the application gateway to send its log too. There I could query for the logs and all tables were in place.

 

What I did before was going to:  "Application Gateway Resource -> Monitoring -> log" 

The log there is empty and missing tables and is not connected to the Log Analytics Workspace I created on the gateway resource.

This is a kind of confusing UI design, but now I know how to access/query the log.

 

Thanks again for your input.

Hi,
It seems like you did the right things and it should work without going to the workspace. I will investigate what happened in your case.

Sorry for that,
Meir from the Azure Monitor Logs team

@Meir MendelovichFor the record, I have the exact same issue

John, can you please explain what is your experience?

@Meir MendelovichI have various VMs which are reporting logs to a Log Analytics Workspace, but when I go to the 'logs' link under the VM, it does not send me to that LAW. When I attempt to query against the logs from that location, I get the same error described above. I can go directly to the assigned LAW, and query against the logs normally.

@John_McCash ,

 

From your description it seems that workspace-context access works and resource-context access doesn't. You can see all details on both here: https://aka.ms/logsaccess

The first thing that comes into my mind is the resource access mode. See here and make sure that it is "both". 

If still not working, please approach me directly: meirm@microsoft.com and I would love to get you up and running.

 

Meir :>

@Meir MendelovichThanks very much! This does indeed appear to be the problem I'm seeing. It was complicated by the fact that some of my workspaces have this set one way, and others have it set differently. Can you answer a couple of quick followup questions for me?

  1. Is there a way, from a virtual machine configuration page, to tell which (if any) Log Analytics Workspace that VM is sending its logs to? I thought earlier that I'd seen this as an item in either the Overview or Security tabs, but I can no longer find it.
  2. Does setting the Access control mode to "Use resource or workspace permissions" mean that a VM owner, who doesn't otherwise have access to the Log Analytics Workspace that VM is reporting to, would then be able to read the logs from other hosts reporting to the same LAW?

Thanks again!

John

Hi John,
Happy to help. Here are answers to your follow up questions:
1. There is a property called "Tenant" in many tables (e.g. Heartbeat) that include the workspace GUID. We are thinking on providing better tools to map stuff.
2. In the case you are describing, the user will be able to access only logs of resources where he has Read access to. If he has access to a VM, he can read the logs. If he doesn't have access, he won't be able to read the logs even if they are on the same workspace.

@Meir MendelovichSorry; I hate looking like a complete noob, but I don't see anyplace in the page for the virtual machine where either Heartbeat or Tenant shows up... Is it supposed to be in the Security tab? I can't load that right now because of some problem with the tenant (I think). The message I'm getting currently reads:

columnNumber: 55 fileName: <a href="https://portal.azure.com/Content/Dynamic/lN9nxus-UgR8.js" target="_blank">https://portal.azure.com/Content/Dynamic/lN9nxus-UgR8.js</a> line 54 > Function lineNumber: 3 message: Unable to process binding "if: function(){return showAgentCampaignBar() }" Message: showAgentCampaignBar is not defined

Thanks

John

 

You need to open the "Logs" page for this VM and run a query like "Heartbeat | take 10" or "Heartbeat | distinct TenantId".

@Meir MendelovichAh! OK. Thanks very much again.

... OK... I just looked at the TenantId in my Heartbeat logs. It appears to just be the GUID assigned to the Tenant. It doesn't match any of my Log Analytics Workspace GUIDs. Am I just terminally confused?