Azure Web Application Firewall (WAF) monitoring and logging are provided through logging and integration with Azure Monitor and Azure Monitor logs.
Azure Monitor
WAF with Application Gateway log is integrated with Azure Monitor. Azure Monitor allows you to track diagnostic information including WAF alerts and logs. You can configure WAF monitoring within the Application Gateway resource in the portal under the Diagnostics tab or through the Azure Monitor service directly.
Logs and diagnostics
WAF with Application Gateway provides detailed reporting on each threat it detects. Logging is integrated with Azure Diagnostics logs and alerts are recorded in a json format. These logs can be integrated with Azure Monitor logs.
For more information about diagnostics logs, see Application Gateway WAF resource logs. If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior. You can use exclusions to fine tune rules and exclude any data that you want to be excluded from the logs. For more information, see Web application firewall exclusion lists in Azure Application Gateway.
Application Gateway WAF v2 Metrics
New WAF metrics are only available for Core Rule Set 3.2 or greater, or with bot protection and geo-filtering. The metrics can be further filtered on the supported dimensions.
Metrics
Description
Dimension
WAF Total Requests
Count of successful requests that WAF engine has served
Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name
WAF Custom Rule Matches
Count of custom rule matches
Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name
WAF Bot Protection Matches1
Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed.
Count the number of requests that match JS Challenge WAF rules.
Action, Policy Name, Policy Scope, Rule2
1 Only Bot Manager Rule Set 0.1 will be displayed under “WAF Bot Protection Matches”. Requests matching Bot Manager Rule Set 1.0 will increase “WAF Total Requests” metrics, not “WAF Bot Protection Matches”.
2 Rule name for custom rules and Rule ID for the Bot Manager Rule Set.
Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud and on-premises environments. You can use Azure Monitor to maximize the availability and performance of your applications and services.
Azure Monitor Metrics is a feature of Azure Monitor that collects numeric data from monitored resources into a time-series database. Metrics are numerical values that are collected at regular intervals and describe some aspect of a system at a particular time.
Azure Monitor receives data from target resources like applications, operating systems, Azure resources, Azure subscriptions, and Azure tenants. The nature of the resource defines which data types are available. A data type will be a metric, a log, or both a metric and a log.
The WAF provides protection at the web application layer. Azure Firewall acts as a central logging and control point, and it inspects traffic between the Application Gateway and the backend servers. The Application Gateway and Azure Firewall aren't sitting in parallel, but one after the other.
Azure Monitor is a native monitoring tool within the Microsoft Azure cloud platform, similar to CloudWatch in AWS. And, like CloudWatch, Azure Monitor provides monitoring for AWS and other custom data sources, on-premises data centers, and across many Azure services by default.
To enable application logging for Windows apps in the Azure portal, navigate to your app and select App Service logs. Select On for either Application Logging (Filesystem) or Application Logging (Blob), or both. The Filesystem option is for temporary debugging purposes, and turns itself off in 12 hours.
A good monitoring system involves data collection, storage, aggregation, visualization, and alerting to identify issues and trends in your systems. Metrics are raw data collected from various sources like hardware, applications, or websites, providing information about resource usage, performance, or user behavior.
In conclusion, Azure Monitor and Log Analytics collectively offer a robust solution for monitoring Azure resources. While Azure Monitor provides a lot of features including aggregation of logs, real-time insights and performance metrics, Log Analytics allows advanced query capabilities and extensive log data analysis.
A KPI (Key Performance Indicator), in a tabular model, is used to gauge performance of a value, defined by a Base measure, against a Target value, also defined by a measure or by an absolute value.
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. Traditional load balancers operate at the transport layer (OSI Layer 4 - TCP and UDP) and route traffic based on source IP address and port, to a destination IP address and port.
Azure Application Performance Monitoring (APM) refers to a set of tools and services provided by Microsoft Azure that allow developers and IT professionals to monitor and gain insights into the performance of their applications.
This allows you to track diagnostic information, including WAF alerts and logs. You can access this capability on the Diagnostics tab in the Application Gateway resource in the portal or directly through Azure Monitor. To learn more about enabling logs, see Application Gateway diagnostics.
Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.