Azure Application Gateway Log Analytics

published: 29th of November 2023

Intro

This is a quick post on how to query Azure Application Gateway logs using Kusto Query Language (KQL). It's not a deep dive into KQL, but rather a quick reference of useful queries for future Brad.

Application Gateway

Search for logs for a specific host.

Kusto Query Language (KQL) 
AzureDiagnostics
  | where Category == "ApplicationGatewayAccessLog"
  | where host_s == "blah.example.com"

Web Application Firewall (WAF)

Query the WAF logs for all hits. Deduplicates the results by hostname, resource, action, ruleId, URI, and message then sort from most to least hits.

Kusto Query Language (KQL) 
AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
  // Uncomment to search for a specific hostname
  // | where AdditionalFields.hostname == "blah.example.com"
  | project Hostname=AdditionalFields.hostname, Resource, Action=action_s, URI=requestUri_s, ruleId=AdditionalFields.ruleId, AdditionalFields.ruleId, Message
  | summarize AggregatedValue = count() by tostring(Hostname), Resource, Action, tostring(ruleId), URI, Message
  | sort by AggregatedValue desc

Outro

As time goes on, I'll add more queries to this post.

https://learn.microsoft.com/en-us/azure/application-gateway/monitor-application-gateway

https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics

https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics