Skip to main content
Sumo Logic

Collect Logs for Azure Web Apps

This page has instructions for configuring a pipeline for shipping Azure Web Apps logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on a hosted collector in Sumo Logic.. Click a link to jump to a topic:

Solution Overview

The following is how the solution fits together:

  • Azure Monitor collects logs for most Microsoft Azure services, including Azure Web Apps, and streams the data to an Azure Event Hub. 
  • Azure Event Hub is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function. 
  • The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and failover data to another.

Step 1: Configure an HTTP source 

In this task, you configure an HTTP source to receive logs from the Azure function.

To configure an HTTP source for Azure, do the following:

  1. Do one of the following:
  • Select a hosted collector on which to configure the HTTP source.
  • Create a new hosted collector, as described on Configure a Hosted Collector.
  1. Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step. 

Step 2: Configure Azure Resources using ARM template 

To deploy a Sumo provided ARM template, follow the instructions in Step 2 for Collecting logs from Azure monitor.

Step 3: Export logs for a particular Web App to Event Hub

In this task, you enable logs for your Azure Web app. For related information see Enable diagnostics logging for web apps in Azure App Service in the Azure help documentation.

To enable logs for an Azure web app, do the following:

  1. Login to https://portal.azure.com/.
  2. Go to your Azure Web App and in the left pane, go to Monitoring > Diagnostics Settings.

Diagonostic_Settings.png

  1. Diagnostic Settings blade will show all your existing settings if any already exist. Click Edit Setting if you want to change your existing settings, or click Add diagnostic setting to add a new one. 
  2. Select the Stream to an event hub box checkbox.
  3. Select an Azure subscription.
  4. Select the Event Hubs namespace you created in Step 2. It should start with “SumoAzureLogsNamespace<UniqueSuffix>”. 
  5. Select insights-operational-logs from the Select Event hub name dropdown.
  6. Select RootManageSharedAccessKey from Select Event hub policy name dropdown.
  7. Select the checkbox for log types under Category Details which you want to ingest.
  8. Click Save.

Diagonostic_Settings_1.png

Step 4: Export metrics for a particular web app to Event Hub (Optional)

The current Sumo Logic App for Web Apps does not support metric content so this step is optional. For exporting metrics you need to create another diagnostic setting and select All Metrics only with the following Event Hub configurations.

Event Hub Namespace. Namespace created in Step 2 by Metrics ARM template starting with SumoMetricsNamespace<unique suffix>

Event Hub Name. insights-metrics-pt1m

Event Hub Policy. RootManageSharedAccessKey

Exportmetrics.png

Troubleshooting 

If logs are not flowing into Sumo Logic, see Troubleshooting

Sample Log Message

2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 
80 - 60.4.192.44 Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,
+like+Gecko)+Chrome/60.4.192.44+Safari/537.36 PHPSESSID=tv2iv6tn8c9su542l464ibaro5;
+ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - 
eShopCart.azurewebsites.net 200 0 0 3098 1008 1000

Query Sample

Traffic over time outlier

_sourceCategory=Azure/Web-app
| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count