Skip to content

Commit 7d604a7

Browse files
Miskatonic-ElectronicMiskatonic-Electronic
authored
Update web-application-firewall-logs.md
Updating AppGW Firewall logs with a new section for AGC WAF logs
1 parent 9f34794 commit 7d604a7

File tree

1 file changed

+65
-0
lines changed

1 file changed

+65
-0
lines changed

articles/web-application-firewall/ag/web-application-firewall-logs.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,11 @@ The performance log is generated only if you have enabled it on each Application
214214

215215
The firewall log is generated only if you have enabled it for each application gateway, as detailed in the preceding steps. This log also requires that the web application firewall is configured on an application gateway. The data is stored in the destination that you specified when you enabled the logging. The following data is logged:
216216

217+
# [Application Gateway](#tab/AppGW)
217218

219+
## <a name="AppGW"></a> Application Gateway
220+
221+
### <a name="AppGW-Format"></a> Log Format
218222
|Value |Description |
219223
|---------|---------|
220224
|instanceId | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance. |
@@ -237,6 +241,7 @@ The firewall log is generated only if you have enabled it for each application g
237241
|policyScope | The location of the policy - values can be "Global", "Listener", or "Location". |
238242
|policyScopeName | The name of the object where the policy is applied. |
239243

244+
### <a name="AppGW-Example"></a> Example
240245
```json
241246
{
242247
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
@@ -271,6 +276,66 @@ The firewall log is generated only if you have enabled it for each application g
271276

272277
```
273278

279+
# [Application Gateway for Containers](#tab/AGC)
280+
281+
## <a name="AGC"></a> Application Gateway for Containers
282+
| Value | Description |
283+
|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
284+
| TimeGenerated | Time (UTC) when the log was created. |
285+
| OperationName | Name of the operation. |
286+
| InstanceId | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance. |
287+
| ClientIp | Originating IP for the request. |
288+
| ClientPort | Originating port for the request. |
289+
| Action | Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules). |
290+
| Message | User-friendly message for the triggering event. More details are provided in the details section. |
291+
| DetailedMessage | Description of the rule for the triggered event. |
292+
| DetailedData | Specific data found in request that matched the rule for the triggered event. |
293+
| FileDetails | Configuration file that contained the rule for the triggered event. |
294+
| LineDetails | Line number in the configuration file that triggered the event. |
295+
| Hostname | Hostname or IP address of the Application Gateway. |
296+
| PolicyId | Resource ID of the web application firewall policy. |
297+
| PolicyScope | A named scope consisting of Kubernetes resource references the scope is applied to. |
298+
| PolicyScopeName | The name to the type of scope assignment the web application firewall policy is assigned to. |
299+
| RequestUri | URL of the received request. |
300+
| RuleSetType | Rule set type. The available value is Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet. |
301+
| RuleSetVersion | Rule set version used for Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet. |
302+
| RuleId | Rule ID of the triggering event. |
303+
| TrackingId | Generated guid by Application Gateway
304+
305+
### <a name="AGC-Format"></a> Log Format
306+
```json
307+
{
308+
"timeStamp": "2025-06-17T20:06:05+00:00",
309+
"resourceId": "/SUBSCRIPTIONS/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RESOURCEGROUPS/YYYYYY/PROVIDERS/MICROSOFT.SERVICENETWORKING/TRAFFICCONTROLLERS/ZZZZZZZ",
310+
"operationName": "TrafficControllerFirewall",
311+
"category": "TrafficControllerFirewallLog",
312+
"properties": {
313+
"instanceId": "8a02ae47-8435-4f3d-84a5-6f5ded3763f5",
314+
"clientIp": "xxx.xxx.xxx.xxx",
315+
"requestUri": "\/?1=1=1",
316+
"ruleSetType": "Microsoft_DefaultRuleSet",
317+
"ruleSetVersion": "2.1",
318+
"ruleId": "949110",
319+
"ruleGroup": "BLOCKING-EVALUATION",
320+
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
321+
"action": "Blocked",
322+
"details": {
323+
"message": "Greater and Equal to Tx:inbound_anomaly_score_threshold at TX:anomaly_score.",
324+
"data": "",
325+
"file": "BLOCKING-EVALUATION.conf",
326+
"line": "36"
327+
},
328+
"hostName": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.fzXX.alb.azure.com",
329+
"trackingId": "0ef125db-7fb7-48a0-b3fe-03fe0ffed873",
330+
"policyId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/YYYYYY/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ZZZZZZZ",
331+
"policyScope": "HTTPRoute-test-infra-contoso-waf-route-rule-0-match-0-waf.fzXX.alb.azure.com",
332+
"policyScopeName": "Route",
333+
"engine": "Azwaf"
334+
},
335+
"location": "northcentralus"
336+
}
337+
```
338+
274339
## View and analyze the activity log
275340

276341
You can view and analyze activity log data by using any of the following methods:

0 commit comments

Comments
 (0)