Skip to main content
Sumo Logic

Collect Logs for Azure Web Apps

This page has instructions for configuring a pipeline for shipping Azure Web Apps logs from Azure Monitor to an Event Hub, on to an Azure Function, and finally to an HTTP source on a hosted collector in Sumo Logic. Click a link to jump to a topic:

Solution Overview

The following is how the solution fits together:

  • Azure Monitor collects logs for most Microsoft Azure services, including Azure Web Apps, and streams the data to an Azure Event Hub. 
  • Azure Event Hub is a data streaming platform and event ingestion service. In this pipeline, an Event Hub streams the logs collected by Azure Monitor to an Azure function. 
  • The Azure function is a small piece of code that is triggered by Event Hub to send logs to the Sumo HTTP Source, function logs to one Storage Account, and failover data to another.

Configure an HTTP source 

In this task, you configure an HTTP source to receive logs from the Azure function.

To configure an HTTP source for Azure, do the following:

  1. Do one of the following:
  • Select a hosted collector on which to configure the HTTP source.
  • Create a new hosted collector, as described on Configure a Hosted Collector.
  1. Configure an HTTP source, as described on HTTP Logs and Metrics Source. Make a note of the URL for the source, you will need it in the next step. 

Configure Azure Resources using ARM template 

In this step, you use a Sumo-provided Azure Resource Manager (ARM) template to create an Event Hub, an Azure function and two Storage Accounts. The Azure function is triggered by Event Hub. Two storage accounts are used to store log messages from the Azure function and failover data from Event Hub.

  1. Download the azuredeploy_logs.json ARM template.
  2. Go to Template deployment in the Azure Portal.after step2.3.png
  3. Click Create.
  4. On the Custom deployment blade, click Build your own template in the editor.
  5. Copy the contents of azuredeploy_logs.json, and paste it into the editor window.after step2.6.png
  6. Click Save.
  7. Now you are back on the Custom deployment blade.
    1. Create a new Resource Group (recommended) or select an existing one.
    2. Choose Location.
    3. In the Sumo Endpoint URL field, enter the URL of the HTTP Source you configured in Step 1.
    4. Agree to the terms and conditions.
    5. Click Purchase.
  8. Verify the deployment was successful by looking at Notifications at the top right corner of Azure Portal.
  9. (Optional) In the same window, you can click Go to resource group to verify all resources have been created successfully. You will see something like this:
  10. Go to Storage accounts and search for “sumofailmsg”. Click on “sumofailmsg<random-string>”.
  11. Under Blob Service, click Containers, then click + Container, enter the Name azureaudit-failover, and select Private for the Public Access Level. Click OK.

Export logs for a particular Web App to Event Hub

In this task, you enable logs for your Azure Web app. For related information see Enable diagnostics logging for web apps in Azure App Service in the Azure help documentation.

To enable logs for an Azure web app, do the following:

  1. Login to
  2. Go to your Azure Web App and in the left pane, go to Monitoring > Diagnostics Settings.


  1. Diagnostic Settings blade will show all your existing settings if any already exist. Click Edit Setting if you want to change your existing settings, or click Add diagnostic setting to add a new one. 
  2. Select the Stream to an event hub box checkbox.
  3. Select an Azure subscription.
  4. Select the Event Hubs namespace you created in Step 2. It should start with “SumoAzureLogsNamespace<UniqueSuffix>”. 
  5. Select insights-operational-logs from the Select Event hub name dropdown.
  6. Select RootManageSharedAccessKey from Select Event hub policy name dropdown.
  7. Select the checkbox for log types under Category Details which you want to ingest.
  8. Click Save.


Export metrics for a particular web app to Event Hub (Optional)

The current Sumo Logic App for Web Apps does not support metric content so this step is optional. For exporting metrics you need to create another diagnostic setting and select All Metrics only with the following Event Hub configurations.

Event Hub Namespace. Namespace created in Step 2 by Metrics ARM template starting with SumoMetricsNamespace<unique suffix>

Event Hub Name. insights-metrics-pt1m

Event Hub Policy. RootManageSharedAccessKey



If logs are not flowing into Sumo Logic, see Troubleshooting

Sample Log Message

2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 
80 - Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,
+like+Gecko)+Chrome/ PHPSESSID=tv2iv6tn8c9su542l464ibaro5;
+ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - 200 0 0 3098 1008 1000

Query Sample

Traffic over time outlier

| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count