Collect Logs for Azure Web Apps
This page has instructions for configuring a pipeline for shipping Azure Web Apps logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on a hosted collector in Sumo Logic. Click a link to jump to a topic:
- Solution Overview
- Configure an HTTP source
- Configure Azure resources using ARM template
- Export logs for a particular Web App to Event Hub
- Export metrics for a particular web app to Event Hub (Optional)
- Troubleshooting
- Sample Log Message
- Query Sample
Solution Overview
The following is how the solution fits together:
- Azure Monitor collects logs for most Microsoft Azure services, including Azure Web Apps, and streams the data to an Azure Event Hub.
- Azure Event Hub is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function.
- The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and failover data to another.
Configure an HTTP source
In this task, you configure an HTTP source to receive logs from the Azure function.
To configure an HTTP source for Azure, do the following:
- Do one of the following:
- Select a hosted collector on which to configure the HTTP source.
- Create a new hosted collector, as described on Configure a Hosted Collector.
- Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step.
Configure Azure Resources using ARM template
Export logs for a particular Web App to Event Hub
In this task, you enable logs for your Azure Web app. For related information see Enable diagnostics logging for web apps in Azure App Service in the Azure help documentation.
To enable logs for an Azure web app, do the following:
- Login to https://portal.azure.com/.
- Go to your Azure Web App and in the left pane, go to Monitoring > Diagnostics Settings.
- Diagnostic Settings blade will show all your existing settings if any already exist. Click Edit Setting if you want to change your existing settings, or click Add diagnostic setting to add a new one.
- Select the Stream to an event hub box checkbox.
- Select an Azure subscription.
- Select the Event Hubs namespace you created in Step 2. It should start with
“SumoAzureLogsNamespace<UniqueSuffix>”.
- Select insights-operational-logs from the Select Event hub name dropdown.
- Select RootManageSharedAccessKey from Select Event hub policy name dropdown.
- Select the checkbox for log types under Category Details which you want to ingest.
- Click Save.
Export metrics for a particular web app to Event Hub (Optional)
The current Sumo Logic App for Web Apps does not support metric content so this step is optional. For exporting metrics you need to create another diagnostic setting and select All Metrics only with the following Event Hub configurations.
Event Hub Namespace. Namespace created in Step 2 by Metrics ARM template starting with SumoMetricsNamespace<unique suffix>
Event Hub Name. insights-metrics-pt1m
Event Hub Policy. RootManageSharedAccessKey
Troubleshooting
If logs are not flowing into Sumo Logic, see Troubleshooting.
Sample Log Message
2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 80 - 60.4.192.44 Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML, +like+Gecko)+Chrome/60.4.192.44+Safari/537.36 PHPSESSID=tv2iv6tn8c9su542l464ibaro5; +ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - eShopCart.azurewebsites.net 200 0 0 3098 1008 1000
Query Sample
Traffic over time outlier
_sourceCategory=Azure/Web-app
| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count