MicrosoftDocs
diff --git a/‎articles/azure-monitor/essentials/resource-logs-schema.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-monitor/essentials/resource-logs-schema.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/firewall/diagnostic-logs.md
Lines changed: 138 additions & 0 deletions b/‎articles/firewall/diagnostic-logs.md
Lines changed: 138 additions & 0 deletions
diff --git a/‎articles/firewall/firewall-best-practices.md
Lines changed: 2 additions & 2 deletions b/‎articles/firewall/firewall-best-practices.md
Lines changed: 2 additions & 2 deletions
@@ -72,7 +72,7 @@ The schema for resource logs varies depending on the resource and log category.
 | Azure Digital Twins | [Set up Azure Digital Twins diagnostics](../../digital-twins/troubleshoot-diagnostics.md#log-schemas)
 | Azure Event Hubs |[Azure Event Hubs logs](../../event-hubs/event-hubs-diagnostic-logs.md) |
 | Azure ExpressRoute | [Monitoring Azure ExpressRoute](../../expressroute/monitor-expressroute.md#collection-and-routing) |
-| Azure Firewall | [Logging for Azure Firewall](../../firewall/logs-and-metrics.md#diagnostic-logs) |
+| Azure Firewall | [Logging for Azure Firewall](../../firewall/diagnostic-logs.md) |
 | Azure Front Door | [Logging for Azure Front Door](../../frontdoor/front-door-diagnostics.md) |
 | Azure Functions | [Monitoring Azure Functions Data Reference Resource Logs](../../azure-functions/monitor-functions-reference.md#resource-logs) |
 | Azure IoT Hub | [IoT Hub operations](../../iot-hub/monitor-iot-hub-reference.md#resource-logs) |
 
@@ -0,0 +1,138 @@
+---
+title: Azure Firewall Diagnostic logs (legacy)
+description: Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: article
+ms.date: 12/04/2023
+ms.author: victorh
+---
+
+# Azure Firewall diagnostic logs (legacy)
+
+Diagnostic logs are the original Azure Firewall log queries that output log data in an unstructured or free-form text format.  
+
+The following log categories are supported in Diagnostic logs: 
+
+- Azure Firewall application rule 
+- Azure Firewall network rule 
+- Azure Firewall DNS proxy
+
+## Application rule log
+
+The Application rule log is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs only if you've enabled it for each Azure Firewall. Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection. The data is logged in JSON format, as shown in the following examples:
+
+   ```
+   Category: application rule logs.
+   Time: log timestamp.
+   Properties: currently contains the full message.
+   note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
+   ```
+
+   ```json
+   {
+    "category": "AzureFirewallApplicationRule",
+    "time": "2018-04-16T23:45:04.8295030Z",
+    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+    "operationName": "AzureFirewallApplicationRuleLog",
+    "properties": {
+        "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
+    }
+   }
+   ```
+
+   ```json
+   {
+     "category": "AzureFirewallApplicationRule",
+     "time": "2018-04-16T23:45:04.8295030Z",
+     "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+     "operationName": "AzureFirewallApplicationRuleLog",
+     "properties": {
+         "msg": "HTTPS request from 10.11.2.4:53344 to www.bing.com:443. Action: Allow. Rule Collection: ExampleRuleCollection. Rule: ExampleRule. Web Category: SearchEnginesAndPortals"
+     }
+   }
+   ```
+
+## Network rule log
+
+The Network rule log is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs only if you've enabled it for each Azure Firewall. Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection. The data is logged in JSON format, as shown in the following example:
+
+   ```
+   Category: network rule logs.
+   Time: log timestamp.
+   Properties: currently contains the full message.
+   note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
+   ```
+
+   ```json
+  {
+    "category": "AzureFirewallNetworkRule",
+    "time": "2018-06-14T23:44:11.0590400Z",
+    "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+    "operationName": "AzureFirewallNetworkRuleLog",
+    "properties": {
+        "msg": "TCP request from 111.35.136.173:12518 to 13.78.143.217:2323. Action: Deny"
+    }
+   }
+
+   ```
+
+## DNS proxy log
+
+The DNS proxy log is saved to a storage account, streamed to Event hubs, and/or sent to Azure Monitor logs only if you’ve enabled it for each Azure Firewall. This log tracks DNS messages to a DNS server configured using DNS proxy. The data is logged in JSON format, as shown in the following examples:
+
+
+   ```
+   Category: DNS proxy logs.
+   Time: log timestamp.
+   Properties: currently contains the full message.
+   note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
+   ```
+
+   Success:
+   ```json
+   {
+     "category": "AzureFirewallDnsProxy",
+     "time": "2020-09-02T19:12:33.751Z",
+     "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+     "operationName": "AzureFirewallDnsProxyLog",
+     "properties": {
+         "msg": "DNS Request: 11.5.0.7:48197 – 15676 AAA IN md-l1l1pg5lcmkq.blob.core.windows.net. udp 55 false 512 NOERROR - 0 2.000301956s"
+     }
+   }
+   ```
+
+   Failed:
+
+   ```json
+   {
+     "category": "AzureFirewallDnsProxy",
+     "time": "2020-09-02T19:12:33.751Z",
+     "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
+     "operationName": "AzureFirewallDnsProxyLog",
+     "properties": {
+         "msg": " Error: 2 time.windows.com.reddog.microsoft.com. A: read udp 10.0.1.5:49126->168.63.129.160:53: i/o timeout”
+     }
+   }
+   ```
+
+   msg format:
+
+   `[client’s IP address]:[client’s port] – [query ID] [type of the request] [class of the request] [name of the request] [protocol used] [request size in bytes] [EDNS0 DO (DNSSEC OK) bit set in the query] [EDNS0 buffer size advertised in the query] [response CODE] [response flags] [response size] [response duration]`
+
+## Storage
+
+You have three options for storing your logs:
+
+* **Storage account**: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
+* **Event hubs**: Event hubs are a great option for integrating with other security information and event management (SEIM) tools to get alerts on your resources.
+* **Azure Monitor logs**: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.
+
+## Enable diagnostic logs
+
+To learn how to enable the diagnostic logging using the Azure portal, see [Monitor Azure Firewall logs (legacy) and metrics](firewall-diagnostics.md).
+
+## Next steps
+
+- [Azure Firewall metrics and alerts](metrics.md)
@@ -21,7 +21,7 @@ To maximize the [performance](firewall-performance.md) of your Azure Firewall an
 
 - **High traffic throughput**
 
-    Azure Firewall Standard supports up to 30 Gbps, while Premium supports up to 100 Gbps. For more information, see the [throughput limitations](firewall-performance.md#performance-data). You can monitor your throughput or data processing in Azure Firewall metrics. For more information, see [Azure Firewall metrics](logs-and-metrics.md#metrics).
+    Azure Firewall Standard supports up to 30 Gbps, while Premium supports up to 100 Gbps. For more information, see the [throughput limitations](firewall-performance.md#performance-data). You can monitor your throughput or data processing in Azure Firewall metrics. For more information, see [Azure Firewall metrics and alerts](metrics.md).
 
 - **High Number of Connections**
 
@@ -67,7 +67,7 @@ Use the following best practices for testing and monitoring:
 - **Identify rule hits and performance spikes**
    - Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that you might need to optimize.
 - **Add alerts to key metrics**
-   - In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](logs-and-metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
+   - In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
 
 ## Next steps