Skip to main content
Sumo Logic

Collect Logs for Azure Web Apps

This page has instructions for collecting logs for the Sumo Logic App for Azure Web Apps.


  • Only General-purpose v2 (GPv2) and Blob storage accounts are supported. This integration does not support General-purpose v1 (GPv1) accounts.  
  • Configure your storage account in the same location as your Azure WebApp Service.

Step 1. Configure Azure storage account

In this step you configure a storage account (General-purpose v2 or Blob storage) to which you will export monitoring data for your Azure WebApp service.

If you have a storage account you want to use for this purpose, make a note of its connection string and proceed to Step 2. Otherwise, create a new storage account. For instructions, see Create a storage account in Azure help.

To obtain the connection string for a storage account

  1. In the Azure portal, select Storage accounts in the left pane. 
  2. Select the storage account that you have created for exporting logs.
  3. Under Settings, select Access keys and make a note of the Connection String value in the key1 section.

Step 2. Enable diagnostics in the Azure portal

In this step you will enable Blob Log storage for your Azure web app. For related information see Enable diagnostics logging for web apps in Azure App Service in Azure help.

  1. Login to
  2. Go to your Azure Web App and click Monitoring > Diagnostics logs.
  3. For Application Logging (Blob) click On.
  4. For Level, select Information.
  5. Click Storage Settings and select the storage account you want to used to store logs for your Web App, the one you created or designated for use in Step 1.
  6. Click Add Container.
  7. For Web server logging select Storage.
  8. Click Storage Settings and select the same settings as you did in Step 5.

Step 3. Configure an HTTP source

In this step, you configure an HTTP source to receive logs from the Azure function.

  1. Select a hosted collector where you want to configure the HTTP source. If desired, create a new hosted collector, as described on Configure a Hosted Collector.
  2. Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step.

Step 4. Configure Azure resources using ARM template

In this step, you use a Sumo-provided Azure Resource Manager (ARM) template to create an Event Hub, three Azure functions, Service Bus Queue, and a Storage Account.

  1. Download the blobreaderdeploy.json ARM template.
  2. Go to Template deployment in the Azure Portal.
  3. Click Create.
  4. On the Custom deployment blade, click Build your own template in the editor.
  5. Copy the contents of the template and paste it into the editor window.
  6. Click Save.
  7. Now you are back on the Custom deployment blade.
    1. Create a new Resource Group (recommended) or select an existing one.
    2. Choose Location.
    3. Set the value of the SumoEndpointURL parameter to the URL for the HTTP source you configured in Step 3.
    4. Set the value of the StorageAcccountConnectionString parameter to the value of the connection string you noted in Step 1.
    5. Agree to the terms and conditions.
    6. Click Purchase.
  8. Verify the deployment was successful by looking at Notifications at top right corner of Azure Portal.
  9. (Optional) In the same window, you can click Go to resource group to verify the all resources were successfully created. You will see something like this:
  10. Go to Storage accounts and search for “sumobrlogs”. Click  “sumobrlogs<random-string>”.
  11. Under Table Service:
    1. Click Tables.
    2. Click + Table.
    3. For Name, enter “FileOffsetMap".
  12. Click OK.

Step 5. Create an Event Grid Subscription

  1. In the left pane of Azure portal click All Services. Search for “Event Grid Subscriptions” and click it.
  2. On the Event subscriptions page, click +Event Subscription.
  3. The Create Event Subscription pane appears:
    1. Topic Type. Select Storage Accounts.
    2. Subscription. Select the Subscription.
    3. Resource Group. Select the Resource Group for the Storage Account to which your Azure service will export logs, which you created in Step 1
    4. Resource. Select the Storage Account you configured in Step 1
    5. In the Event Types section:
      1. Uncheck the Subscribe to all event types box.
      2. Select Blob Created from the Define Event Types dropdown.
    6. Endpoint Type. Select Event Hubs from the dropdown. 
    7. Endpoint.  Click on Select an endpoint. 
    8. The Select Event Hub popup appears:
      1. Resource Group. Select the resource group you created Step 4
      2. Event Hub Namespace. Select SUMOBREventHubNamespace<unique string>.
      3. Event Hub. Select blobreadereventhub from the dropdown.
      4. Click Confirm Selection.
    9. In the Event Subscription Details section:
      1. Name. Enter the subscription name.
      2. Event Schema. Select Event Grid Schema from the dropdown
    10. In the Filters section, to filter events by container name, enter the following in the Subject Begins With field, replacing <container_name> with the name of the container you created in Step 2:
    11. Click Create
  4. Verify the deployment was successful by looking at Notifications in the top right corner of the Azure Portal.


If logs don't start flowing into Sumo Logic after you perform the configuration above, see Troubleshoot Azure Blob Storage Log Collection.

Sample Log Message

2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 80 - Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/ PHPSESSID=tv2iv6tn8c9su542l464ibaro5;+ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - 200 0 0 3098 1008 1000

Query Sample

Traffic over time outlier

| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count