This page has instructions for configuring a pipeline for shipping Azure Web Apps logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on a hosted collector in Sumo Logic. Click a link to jump to a topic:
- Solution Overview
- Configure an HTTP source
- Configure Azure resources using ARM template
- Export logs for a particular Web App to Event Hub
- Export metrics for a particular web app to Event Hub (Optional)
- Sample Log Message
- Query Sample
The following is how the solution fits together:
- Azure Monitor collects logs for most Microsoft Azure services, including Azure Web Apps, and streams the data to an Azure Event Hub.
- Azure Event Hub is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function.
- The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and failover data to another.
Configure an HTTP source
In this task, you configure an HTTP source to receive logs from the Azure function.
To configure an HTTP source for Azure, do the following:
- Do one of the following:
- Select a hosted collector on which to configure the HTTP source.
- Create a new hosted collector, as described on Configure a Hosted Collector.
- Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step.
Configure Azure Resources using ARM template
In this step, you use a Sumo-provided Azure Resource Manager (ARM) template to create an Event Hub, an Azure function and two Storage Accounts. The Azure function is triggered by Event Hub. Two storage accounts are used to store log messages from the Azure function and failover data from Event Hub.
- Download the azuredeploy_logs.json ARM template.
- Go to Template deployment in the Azure Portal.
- Click Create.
- On the Custom deployment blade, click Build your own template in the editor.
- Copy the contents of
azuredeploy_logs.json, and paste it into the editor window.
- Click Save.
- Now you are back on the Custom deployment blade.
- Create a new Resource Group (recommended) or select an existing one.
- Choose Location.
- In the Sumo Endpoint URL field, enter the URL of the HTTP Source you configured in Step 1.
- Agree to the terms and conditions.
- Click Purchase.
- Verify the deployment was successful by looking at Notifications at the top right corner of Azure Portal.
- (Optional) In the same window, you can click Go to resource group to verify all resources have been created successfully. You will see something like this:
- Go to Storage accounts and search for “sumofailmsg”. Click on “sumofailmsg<random-string>”.
- Under Blob Service, click Containers, then click + Container, enter the Name azureaudit-failover, and select Private for the Public Access Level. Click OK.
Export logs for a particular Web App to Event Hub
In this task, you enable logs for your Azure Web app. For related information see Enable diagnostics logging for web apps in Azure App Service in the Azure help documentation.
To enable logs for an Azure web app, do the following:
- Login to https://portal.azure.com/.
- Go to your Azure Web App and in the left pane, go to Monitoring > Diagnostics Settings.
- Diagnostic Settings blade will show all your existing settings if any already exist. Click Edit Setting if you want to change your existing settings, or click Add diagnostic setting to add a new one.
- Select the Stream to an event hub box checkbox.
- Select an Azure subscription.
- Select the Event Hubs namespace you created in Step 2. It should start with
- Select insights-operational-logs from the Select Event hub name dropdown.
- Select RootManageSharedAccessKey from Select Event hub policy name dropdown.
- Select the checkbox for log types under Category Details which you want to ingest.
- Click Save.
Export metrics for a particular web app to Event Hub (Optional)
The current Sumo Logic App for Web Apps does not support metric content so this step is optional. For exporting metrics you need to create another diagnostic setting and select All Metrics only with the following Event Hub configurations.
Event Hub Namespace. Namespace created in Step 2 by Metrics ARM template starting with
Event Hub Name.
Event Hub Policy. RootManageSharedAccessKey
If logs are not flowing into Sumo Logic, see Troubleshooting.
Sample Log Message
2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 80 - 184.108.40.206 Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML, +like+Gecko)+Chrome/220.127.116.11+Safari/537.36 PHPSESSID=tv2iv6tn8c9su542l464ibaro5; +ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - eShopCart.azurewebsites.net 200 0 0 3098 1008 1000
Traffic over time outlier
| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count