Skip to content

Commit cb0f35f

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #302728 from Miskatonic-Electronic/patch-61
Update web-application-firewall-logs.md
2 parents d1bfde3 + b569be3 commit cb0f35f

File tree

1 file changed

+67
-0
lines changed

1 file changed

+67
-0
lines changed

articles/web-application-firewall/ag/web-application-firewall-logs.md

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -214,7 +214,11 @@ The performance log is generated only if you have enabled it on each Application
214214

215215
The firewall log is generated only if you have enabled it for each application gateway, as detailed in the preceding steps. This log also requires that the web application firewall is configured on an application gateway. The data is stored in the destination that you specified when you enabled the logging. The following data is logged:
216216

217+
# [Application Gateway](#tab/AppGW)
217218

219+
## <a name="AppGW"></a> Application Gateway
220+
221+
### <a name="AppGW-Format"></a> Log Format
218222
|Value |Description |
219223
|---------|---------|
220224
|instanceId | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance. |
@@ -237,6 +241,7 @@ The firewall log is generated only if you have enabled it for each application g
237241
|policyScope | The location of the policy - values can be "Global", "Listener", or "Location". |
238242
|policyScopeName | The name of the object where the policy is applied. |
239243

244+
### <a name="AppGW-Example"></a> Example
240245
```json
241246
{
242247
"resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/{applicationGatewayName}",
@@ -271,6 +276,68 @@ The firewall log is generated only if you have enabled it for each application g
271276

272277
```
273278

279+
# [Application Gateway for Containers](#tab/AGC)
280+
281+
## <a name="AGC"></a> Application Gateway for Containers
282+
| Value | Description |
283+
|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
284+
| TimeGenerated | Time (UTC) when the log was created. |
285+
| OperationName | Name of the operation. |
286+
| InstanceId | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance. |
287+
| ClientIp | Originating IP for the request. |
288+
| ClientPort | Originating port for the request. |
289+
| Action | Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules). |
290+
| Message | User-friendly message for the triggering event. More details are provided in the details section. |
291+
| DetailedMessage | Description of the rule for the triggered event. |
292+
| DetailedData | Specific data found in request that matched the rule for the triggered event. |
293+
| FileDetails | Configuration file that contained the rule for the triggered event. |
294+
| LineDetails | Line number in the configuration file that triggered the event. |
295+
| Hostname | Hostname or IP address of the Application Gateway. |
296+
| PolicyId | Resource ID of the web application firewall policy. |
297+
| PolicyScope | A named scope consisting of Kubernetes resource references the scope is applied to. |
298+
| PolicyScopeName | The name to the type of scope assignment the web application firewall policy is assigned to. |
299+
| RequestUri | URL of the received request. |
300+
| RuleSetType | Rule set type. The available value is Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet. |
301+
| RuleSetVersion | Rule set version used for Microsoft_DefaultRuleSet or Microsoft_BotManagerRuleSet. |
302+
| RuleId | Rule ID of the triggering event. |
303+
| TrackingId | Generated guid by Application Gateway
304+
305+
### <a name="AGC-Format"></a> Log Format
306+
```json
307+
{
308+
"timeStamp": "2025-06-17T20:06:05+00:00",
309+
"resourceId": "/SUBSCRIPTIONS/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/RESOURCEGROUPS/YYYYYY/PROVIDERS/MICROSOFT.SERVICENETWORKING/TRAFFICCONTROLLERS/ZZZZZZZ",
310+
"operationName": "TrafficControllerFirewall",
311+
"category": "TrafficControllerFirewallLog",
312+
"properties": {
313+
"instanceId": "8a02ae47-8435-4f3d-84a5-6f5ded3763f5",
314+
"clientIp": "xxx.xxx.xxx.xxx",
315+
"requestUri": "\/?1=1=1",
316+
"ruleSetType": "Microsoft_DefaultRuleSet",
317+
"ruleSetVersion": "2.1",
318+
"ruleId": "949110",
319+
"ruleGroup": "BLOCKING-EVALUATION",
320+
"message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
321+
"action": "Blocked",
322+
"details": {
323+
"message": "Greater and Equal to Tx:inbound_anomaly_score_threshold at TX:anomaly_score.",
324+
"data": "",
325+
"file": "BLOCKING-EVALUATION.conf",
326+
"line": "36"
327+
},
328+
"hostName": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.fzXX.alb.azure.com",
329+
"trackingId": "0ef125db-7fb7-48a0-b3fe-03fe0ffed873",
330+
"policyId": "/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/YYYYYY/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/ZZZZZZZ",
331+
"policyScope": "HTTPRoute-test-infra-contoso-waf-route-rule-0-match-0-waf.fzXX.alb.azure.com",
332+
"policyScopeName": "Route",
333+
"engine": "Azwaf"
334+
},
335+
"location": "northcentralus"
336+
}
337+
```
338+
339+
----
340+
274341
## View and analyze the activity log
275342

276343
You can view and analyze activity log data by using any of the following methods:

0 commit comments

Comments
 (0)