Application Gateway (WAF) - document how to get firewall logs
Please create documentation about how to retrieve Azure App GW firewall log.
Microsoft does not mention a word about this. - Correct me if I'm wrong. Finally I found a solution on third party (!!!) site: http://francescomolfese.it/en/2018/07/azure-application-gateway-come-monitorarlo-con-log-analytics/.
Application GW produces these types of logs:
3. ApplicationGatewayFirewallLog – the most important one as it contains logs about security operations (reasons for blocking connections, etc...)
To retrieve these logs (or at least first 2 of the 3 mentioned above), you have to do this:
o Go to Log Analytics workspaces in Azure portal --> create or choose existing workspace --> go to Worspace summary --> Add --> search for “application gateway analytics” --> choose Application Gateway Analytics and add it to the workspace.
BUT Application Gateway Analytics provides ONLY PROVIDES ApplicationGatewayAccessLog (1) and ApplicationGatewayPerformanceLog (2), but NOT ApplicationGatewayFirewallLog (3) - this is the log where are all important information about blocked connections...
This is the way how you can retrieve ApplicationGatewayFirewallLog (3):
--> Go to the Log Analytics in Azure Portal (can be found in All services) --> choose Logs and there type this query:
AzureDiagnostics | where ResourceType == "APPLICATIONGATEWAYS" and Category == "ApplicationGatewayFirewallLog"
With this knowledge I retrospectively Googled to find out if Microsoft provides some info about Category "ApplicationGatewayFirewallLog" on Azure manual pages and/or if provides some info about how to get to these FW logs. But I found only very very limited and partial information about this!!! Again – correct me if I'm wrong. I'm disappointed with Azure documentation as it cyclically mentions all the same information on different pages but really important and crucial information are missing!
Please put this knowledge to your online tutorials to help other customers to obtain relevant information. Thank you.
Furthermore adding a "Solution" to the workspace for such queries would be helpful!