Azure Application Proxy logging

%3CLINGO-SUB%20id%3D%22lingo-sub-66499%22%20slang%3D%22en-US%22%3EAzure%20Application%20Proxy%20logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-66499%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%2C%20aiming%20to%20replace%20ISA%2FTMG%20with%20Application%20Proxy%20for%20a%20variety%20of%20use%20case%20scenarios%2C%20the%20main%20question%20that%20is%20arising%20relates%20to%20logging.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eare%20application%20proxy%20logs%20automatically%20available%20via%20OMS%20as%20they%20are%20part%20of%20Azure%20Active%20Directory%20authentication%3F%3C%2FP%3E%3CP%3Ewhat%20about%20apps%20with%20no%20authentication%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20key%20information%20is%20the%20source%20IP%2C%20username%2C%20application(destination)%2C%20which%20is%20available%20with%20the%20CSV%20log%20file%20download%20from%20application%20proxy%2C%20but%20the%20UI%20doesnt%20provide%20any%20information%20or%20automation%20around%20generating%20the%20log%20file%2C%20or%20connecting%20to%20the%20live%20data%20stream.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20big%20goal%20being%20intrusion%20detection%2C%20identification%2C%20and%20tracking.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eis%20OMS%20the%20product%20to%20use%20for%20this%3F%3C%2FP%3E%3CP%3Ewhat%20if%20the%20customer%20wished%20to%20use%20splunk%20or%20some%20other%20third%20party%20option%2C%20how%20do%20we%20connect%20to%2Fparse%20the%20logs%20in%20that%20instance%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Echeers%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPete%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-66499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169985%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Application%20Proxy%20logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169985%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20the%20connectors%20installed%2C%20there%20are%20a%20few%20logs%20to%20check%20under%20AadApplicationProxy.%26nbsp%3B%20However%2C%20more%20information%20as%20you've%20mentioned%20previously%20like%20source%20IP%2C%20username%2C%20application%20(destination)%20would%20be%20extremely%20helpful.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fapplicationproxyblog%2F2015%2F06%2F01%2Fall-you-want-to-know-about-azure-ad-application-proxy-connectors%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Fapplicationproxyblog%2F2015%2F06%2F01%2Fall-you-want-to-know-about-azure-ad-application-proxy-connectors%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-67033%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Application%20Proxy%20logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-67033%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Peter%2C%20nice%20to%20see%20you%20again%20%3A)%3C%2Fimg%3E%3CBR%20%2F%3EI%20cant%20answer%20you%20question%20regarding%20application%20proxy%20as%20i%20dont%20have%20acces%20to%20this%20feature%20and%20i%20cant%20actually%20find%20any%20information%20regarding%20the%20Proxy%20logs%2C%20but%20with%20regards%20to%20splunk%20and%20OMS%2C%20they%20should%20both%20be%20able%20to%20access%20the%20logs%20from%20resources.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

so, aiming to replace ISA/TMG with Application Proxy for a variety of use case scenarios, the main question that is arising relates to logging.

 

are application proxy logs automatically available via OMS as they are part of Azure Active Directory authentication?

what about apps with no authentication?

 

the key information is the source IP, username, application(destination), which is available with the CSV log file download from application proxy, but the UI doesnt provide any information or automation around generating the log file, or connecting to the live data stream.

 

the big goal being intrusion detection, identification, and tracking.

 

is OMS the product to use for this?

what if the customer wished to use splunk or some other third party option, how do we connect to/parse the logs in that instance?

 

cheers

 

Pete

2 Replies
Highlighted

Hi Peter, nice to see you again :)
I cant answer you question regarding application proxy as i dont have acces to this feature and i cant actually find any information regarding the Proxy logs, but with regards to splunk and OMS, they should both be able to access the logs from resources.

Highlighted

If you have the connectors installed, there are a few logs to check under AadApplicationProxy.  However, more information as you've mentioned previously like source IP, username, application (destination) would be extremely helpful.

 

https://blogs.technet.microsoft.com/applicationproxyblog/2015/06/01/all-you-want-to-know-about-azure...