Azure Application Proxy logging

Iron Contributor

Hi,

 

so, aiming to replace ISA/TMG with Application Proxy for a variety of use case scenarios, the main question that is arising relates to logging.

 

are application proxy logs automatically available via OMS as they are part of Azure Active Directory authentication?

what about apps with no authentication?

 

the key information is the source IP, username, application(destination), which is available with the CSV log file download from application proxy, but the UI doesnt provide any information or automation around generating the log file, or connecting to the live data stream.

 

the big goal being intrusion detection, identification, and tracking.

 

is OMS the product to use for this?

what if the customer wished to use splunk or some other third party option, how do we connect to/parse the logs in that instance?

 

cheers

 

Pete

3 Replies

If you have the connectors installed, there are a few logs to check under AadApplicationProxy.  However, more information as you've mentioned previously like source IP, username, application (destination) would be extremely helpful.

 

https://blogs.technet.microsoft.com/applicationproxyblog/2015/06/01/all-you-want-to-know-about-azure...

@Earl Zirkle 

Here we are in 2024 and there really still isn't a great answer to this question. I can weed through the AadApplicationProxy logs in Event Viewer, but in reality, I need something a little more rebust in order to ascertain security information. After all, Application Proxies/Private Network Connectors are a security feature of sorts.

@Peter Holland 

 

Not fully understand your question exactly, btw, Event Hub or API would do on feeding logs to Splunk:

 

https://www.splunk.com/en_us/blog/tips-and-tricks/getting-microsoft-azure-data-into-splunk.html