|
1 | 1 | --- |
2 | | -title: 'Tutorial: View and configure Azure DDoS Protection diagnostic logging' |
3 | | -description: Learn how to configure reports and flow logs. |
| 2 | +title: 'Configure Azure DDoS Protection diagnostic logging through portal' |
| 3 | +description: Learn how to configure Azure DDoS Protection diagnostic logs. |
4 | 4 | services: ddos-protection |
5 | 5 | author: AbdullahBell |
6 | 6 | ms.service: ddos-protection |
7 | | -ms.topic: tutorial |
8 | | -ms.custom: ignite-2022 |
| 7 | +ms.topic: how-to |
9 | 8 | ms.workload: infrastructure-services |
10 | | -ms.date: 10/12/2022 |
| 9 | +ms.date: 03/14/2023 |
11 | 10 | ms.author: abell |
12 | 11 | --- |
13 | 12 |
|
14 | | -# Tutorial: View and configure Azure DDoS Protection diagnostic logging |
| 13 | +# Configure Azure DDoS Protection diagnostic logging through portal |
15 | 14 |
|
16 | | -Azure DDoS Protection provides detailed attack insights and visualization with DDoS Attack Analytics. Customers protecting their virtual networks against DDoS attacks have detailed visibility into attack traffic and actions taken to mitigate the attack via attack mitigation reports & mitigation flow logs. Rich telemetry is exposed via Azure Monitor including detailed metrics during the duration of a DDoS attack. Alerting can be configured for any of the Azure Monitor metrics exposed by DDoS Protection. Logging can be further integrated with [Microsoft Sentinel](../sentinel/data-connectors/azure-ddos-protection.md), Splunk (Azure Event Hubs), OMS Log Analytics, and Azure Storage for advanced analysis via the Azure Monitor Diagnostics interface. |
17 | | - |
18 | | -The following diagnostic logs are available for Azure DDoS Protection: |
19 | | - |
20 | | -- **DDoSProtectionNotifications**: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over. |
21 | | -- **DDoSMitigationFlowLogs**: Attack mitigation flow logs allow you to review the dropped traffic, forwarded traffic and other interesting data-points during an active DDoS attack in near-real time. You can ingest the constant stream of this data into Microsoft Sentinel or to your third-party SIEM systems via event hub for near-real time monitoring, take potential actions and address the need of your defense operations. |
22 | | -- **DDoSMitigationReports**: Attack mitigation reports use the Netflow protocol data, which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts. There will be an incremental report generated every 5 mins and a post-mitigation report for the whole mitigation period. This is to ensure that in an event the DDoS attack continues for a longer duration of time, you'll be able to view the most current snapshot of mitigation report every 5 minutes and a complete summary once the attack mitigation is over. |
23 | | -- **AllMetrics**: Provides all possible metrics available during the duration of a DDoS attack. |
24 | | - |
25 | | -In this tutorial, you'll learn how to: |
26 | | - |
27 | | -> [!div class="checklist"] |
28 | | -> * Configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs. |
29 | | -> * Enable diagnostic logging on all public IPs in a defined scope. |
30 | | -> * View log data in workbooks. |
| 15 | +In this guide, you'll learn how to configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs. |
31 | 16 |
|
32 | 17 | ## Prerequisites |
33 | 18 |
|
34 | 19 | - If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
35 | | -- Before you can complete the steps in this tutorial, you must first create a [Azure DDoS protection plan](manage-ddos-protection.md). DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address. |
36 | | -- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this tutorial, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine. |
37 | | - |
38 | | -## Configure Azure DDoS Protection diagnostic logs |
39 | | - |
40 | | -If you want to automatically enable diagnostic logging on all public IPs within an environment, skip to [Enable diagnostic logging on all public IPs](#enable-diagnostic-logging-on-all-public-ips). |
41 | | - |
42 | | -1. Select **All services** on the top, left of the portal. |
43 | | -1. Enter *Monitor* in the **Filter** box. When **Monitor** appears in the results, select it. |
44 | | -1. Under **Settings**, select **Diagnostic Settings**. |
45 | | -1. Select the **Subscription** and **Resource group** that contain the public IP address you want to log. |
46 | | -1. Select **Public IP Address** for **Resource type**, then select the specific public IP address you want to enable logs for. |
47 | | -1. Select **Add diagnostic setting**. Under **Category Details**, select as many of the following options you require, and then select **Save**. |
48 | | - |
49 | | - :::image type="content" source="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png" alt-text="Screenshot of DDoS diagnostic settings." lightbox="./media/ddos-attack-telemetry/ddos-diagnostic-settings.png"::: |
50 | | - |
51 | | - |
52 | | -1. Under **Destination details**, select as many of the following options as you require: |
53 | | - |
54 | | - - **Archive to a storage account**: Data is written to an Azure Storage account. To learn more about this option, see [Archive resource logs](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-storage). |
55 | | - - **Stream to an event hub**: Allows a log receiver to pick up logs using Azure Event Hubs. Event hubs enable integration with Splunk or other SIEM systems. To learn more about this option, see [Stream resource logs to an event hub](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-azure-event-hubs). |
56 | | - - **Send to Log Analytics**: Writes logs to the Azure Monitor service. To learn more about this option, see [Collect logs for use in Azure Monitor logs](../azure-monitor/essentials/resource-logs.md?toc=%2fazure%2fvirtual-network%2ftoc.json#send-to-log-analytics-workspace). |
57 | | - |
58 | | -### Query Azure DDOS Protection logs in log analytics workspace |
59 | | - |
60 | | -For more information on log schemas, see [Monitoring Azure DDoS Protection](monitor-ddos-protection-reference.md#diagnostic-logs). |
61 | | -#### DDoSProtectionNotifications logs |
| 20 | +- Before you can complete the steps in this guide, you must first create a [Azure DDoS protection plan](manage-ddos-protection.md). DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address. |
| 21 | +- In order to use diagnostic logging, you must first create a [Log Analytics workspace with diagnostic settings enabled](ddos-configure-log-analytics-workspace.md). |
| 22 | +- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in [Virtual network for Azure services](../virtual-network/virtual-network-for-azure-services.md#services-that-can-be-deployed-into-a-virtual-network) (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a [Windows](../virtual-machines/windows/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) or [Linux](../virtual-machines/linux/quick-create-portal.md?toc=%2fazure%2fvirtual-network%2ftoc.json) virtual machine. |
62 | 23 |
|
63 | | -1. Under the **Log analytics workspaces** blade, select your log analytics workspace. |
| 24 | +## Configure diagnostic logs |
64 | 25 |
|
65 | | -1. Under **General**, select on **Logs** |
| 26 | +1. Sign in to the [Azure portal](https://portal.azure.com/). |
| 27 | +1. In the search box at the top of the portal, enter **Monitor**. Select **Monitor** in the search results. |
| 28 | +1. Select **Diagnostic Settings** under **Settings** in the left pane, then select the following information in the **Diagnostic settings** page. Next, select **Add diagnostic setting**. |
66 | 29 |
|
67 | | -1. In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run. |
| 30 | + :::image type="content" source="./media/ddos-attack-telemetry/ddos-monitor-diagnostic-settings.png" alt-text="Screenshot of Monitor diagnostic settings."::: |
68 | 31 |
|
69 | | - ```kusto |
70 | | - AzureDiagnostics |
71 | | - | where Category == "DDoSProtectionNotifications" |
72 | | - ``` |
| 32 | + | Setting | Value | |
| 33 | + |--|--| |
| 34 | + |Subscription | Select the **Subscription** that contains the public IP address you want to log. | |
| 35 | + | Resource group | Select the **Resource group** that contains the public IP address you want to log. | |
| 36 | + |Resource type | Select **Public IP Addresses**.| |
| 37 | + |Resource | Select the specific **Public IP address** you want to log metrics for. | |
73 | 38 |
|
74 | | -1. To view **DDoSMitigationFlowLogs** change the query to the following and keep the same time range and hit Run. |
| 39 | +1. On the *Diagnostic setting* page, under *Destination details*, select **Send to Log Analytics workspace**, then enter the following information, then select **Save**. |
75 | 40 |
|
76 | | - ```kusto |
77 | | - AzureDiagnostics |
78 | | - | where Category == "DDoSMitigationFlowLogs" |
79 | | - ``` |
| 41 | + :::image type="content" source="./media/ddos-attack-telemetry/ddos-public-ip-diagnostic-setting.png" alt-text="Screenshot of DDoS diagnostic settings."::: |
80 | 42 |
|
81 | | -1. To view **DDoSMitigationReports** change the query to the following and keep the same time range and hit Run. |
| 43 | + | Setting | Value | |
| 44 | + |--|--| |
| 45 | + | Diagnostic setting name | Enter **myDiagnosticSettings**. | |
| 46 | + |**Logs**| Select **allLogs**.| |
| 47 | + |**Metrics**| Select **AllMetrics**. | |
| 48 | + |**Destination details**| Select **Send to Log Analytics workspace**.| |
| 49 | + | Subscription | Select your Azure subscription. | |
| 50 | + | Log Analytics Workspace | Select **myLogAnalyticsWorkspace**. | |
82 | 51 |
|
83 | | - ```kusto |
84 | | - AzureDiagnostics |
85 | | - | where Category == "DDoSMitigationReports" |
86 | | - ``` |
87 | 52 |
|
88 | | -## Enable diagnostic logging on all public IPs |
| 53 | +## Validate |
89 | 54 |
|
90 | | -This [built-in policy](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F752154a7-1e0f-45c6-a880-ac75a7e4f648) automatically enables diagnostic logging on all public IP logs in a defined scope. See [Azure Policy built-in definitions for Azure DDoS Protection](policy-reference.md) for full list of built-in policies. |
| 55 | +1. In the search box at the top of the portal, enter **Monitor**. Select **Monitor** in the search results. |
| 56 | +1. Select **Diagnostic Settings** under **Settings** in the left pane, then select the following information in the **Diagnostic settings** page: |
| 57 | + :::image type="content" source="./media/ddos-attack-telemetry/ddos-monitor-diagnostic-settings-enabled.png" alt-text="Screenshot of Monitor public ip diagnostic settings enabled."::: |
91 | 58 |
|
92 | | -## View log data in workbooks |
| 59 | + | Setting | Value | |
| 60 | + |--|--| |
| 61 | + |Subscription | Select the **Subscription** that contains the public IP address. | |
| 62 | + | Resource group | Select the **Resource group** that contains the public IP address. | |
| 63 | + |Resource type | Select **Public IP Addresses**.| |
93 | 64 |
|
94 | | -### Microsoft Sentinel data connector |
95 | | -
|
96 | | -You can connect logs to Microsoft Sentinel, view and analyze your data in workbooks, create custom alerts, and incorporate it into investigation processes. To connect to Microsoft Sentinel, see [Connect to Microsoft Sentinel](../sentinel/data-connectors/azure-ddos-protection.md). |
97 | | -
|
98 | | -
|
99 | | -:::image type="content" source="./media/ddos-attack-telemetry/azure-sentinel-ddos.png" alt-text="Screenshot of Microsoft Sentinel DDoS Connector." lightbox="./media/ddos-attack-telemetry/azure-sentinel-ddos.png"::: |
100 | | -
|
101 | | -### Azure DDoS Protection workbook |
102 | | -
|
103 | | -You can use [this Azure Resource Manager (ARM) template](https://aka.ms/ddosworkbook) to deploy an attack analytics workbook. This workbook allows you to visualize attack data across several filterable panels to easily understand what’s at stake. |
104 | | -
|
105 | | -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Network-Security%2Fmaster%2FAzure%20DDoS%20Protection%2FWorkbook%20-%20Azure%20DDOS%20monitor%20workbook%2FAzureDDoSWorkbook_ARM.json) |
106 | | -
|
107 | | -
|
108 | | -:::image type="content" source="./media/ddos-attack-telemetry/ddos-attack-analytics-workbook.png" alt-text="Screenshot of Azure DDoS Protection Workbook." lightbox="./media/ddos-attack-telemetry/ddos-attack-analytics-workbook.png"::: |
109 | | -
|
110 | | -## Validate and test |
111 | | -
|
112 | | -To simulate a DDoS attack to validate your logs, see [Test with simulation partners](test-through-simulations.md). |
| 65 | +1. Confirm your *Diagnostic status* is **Enabled**. |
113 | 66 |
|
114 | 67 | ## Next steps |
115 | 68 |
|
116 | | -In this tutorial, you learned how to: |
117 | | -
|
118 | | -- Configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs. |
119 | | -- Enable diagnostic logging on all public IPs in a defined scope. |
120 | | -- View log data in workbooks. |
| 69 | +In this guide, you learned how to configure Azure DDoS Protection diagnostic logs, including notifications, mitigation reports and mitigation flow logs. |
121 | 70 |
|
122 | | -To learn how to configure attack alerts, continue to the next tutorial. |
| 71 | +To learn how to configure attack alerts, continue to the next guide. |
123 | 72 |
|
124 | 73 | > [!div class="nextstepaction"] |
125 | | -> [View and configure DDoS protection alerts](alerts.md) |
| 74 | +> [Configure DDoS protection alerts](alerts.md) |
0 commit comments