Skip to main content
Sumo Logic

Collect Logs for Azure Web Apps

Enable diagnostics in the Azure portal

In this step you will enable Blob Log storage for your Azure web app. 

  1. Login to
  2. Go to your Azure Web App and click Settings > Diagnostics logs.
  3. For Application Logging (Blob) click On.
  4. For Level, select Information.
  5. Click Storage Settings and select Storage Account and Container (Existing or Add New One). This Storage Account and Container will be used to store Logs for your Web App. For details see:
  6. For Web server logging select Storage.
  7. Click Storage Settings and select the same settings as you did in Step 5.

Copy the name of the Storage Account and Container to a Notepad. You will need these values in the section Run the Solutions Template from the Azure Marketplace.

Create a Sumo Logic Access Key and ID

In Sumo Logic, create an Access Key and ID. You will need them to configure the Azure Marketplace template in the next section.

Run the Solutions Template from the Azure Marketplace

From the Azure Marketplace, you will search for and run the solutions template Sumo Logic for Azure Web Apps.

This template will create an Azure Virtual Machine and configure a Sumo Logic Installed Collector. Depending on the information you provide, it will also create:

  1. One Local Windows Event Log Source
  2. One Script Source to collect Azure Web App Logs

To run the template:

  1. Login to
  2. Click + New.
  3. In the Search field, search for Sumo Logic.
  4. Select Sumo Logic for Azure Web Apps, then click Create.
  5. On the Basics tab, enter the following:
    1. Collector Name. Enter the Sumo Logic Collector name. It is used as the prefix for resource names created by this template. It cannot be longer than 12 characters.
    2. Sumo Logic Access ID. From your Sumo Logic account, create an Access ID and Key and enter the Access ID here. This key pair is used to register the embedded Collector with Sumo Logic.
    3. Sumo Logic Access Key. Enter the Access Key here.
    4. Encryption Phrase. Enter a phrase to be used to encrypt the Azure Web Apps credentials. 
    5. Username. Enter the Admin username for the Sumo Logic Collector VMs.
    6. Password. Enter the password for the user account.
    7. Subscription. Select your subscription from the menu.
    8. Resource Group. A Resource Group is a collection of resources that share the same lifecycle, permission and policies.
    9. Location. Select the same Location where your Azure Web Apps have been deployed.
  6. Click OK.
  7. On the Common Settings tab, enter the following:
    1. Storage Account. Enter your storage account.
    2. Virtual Network. Enter the Virtual Network to be used by this application.
    3. Subnets. Enter the Subnets in the selected virtual network.
    4. Diagnostics Storage Account.  Enter your diagnostics storage account.  
  8. Click OK.
  9. On the Sumo Logic Collector Configuration tab, enter the following:
    1. Azure Web Apps Storage Account Name. Select the name of the Azure Blob Storage Account where Web App Logs are being stored. (You saved this value to a Notepad in the previous sections.)
    2. Azure Web Apps Blob Container Name. Enter the Blob container name where logs are being collected. (You saved this value to a Notepad in the previous sections.)
    3. Public IP Address. Enter the name of the public IP address to be assigned to the Sumo Logic Collector.
      The IP address does not have to be public, although it must be able to access the internet.
    4. Domain Name Label. Enter the domain name label for the Sumo Logic Collector VM that has a public IP address. (For example: collector01. If the Location you selected earlier is West US, then the full DNS name for this example would be:
    5. Sumo Logic Collector VM Size. Enter the size of the Sumo Logic Collector VM.
  10. Click OK.
  11. On the Summary tab, review your configuration.
  12. Click OK.
  13. On the Buy tab, click Purchase.

Change the Network Security Group

Now change the Network Security Group of the Virtual Machine created by the solution template to restrict public access. By default, the template allows public access to three ports: 3389 RDP, syslog 514 TCP, and 514 UDP.

To change the Network Security Group:

  1. Login to
  2. Select Network Interfaces and click the interface. 
  3. Select Network Security Group.
  4. Change the three Inbound security rules to fit your access policy.
    It is not necessary to allow inbound traffic on the Syslog ports (udp-514, tcp-514), as the Azure Audit app does not collect data using Syslog.
  5. Save your changes. 

Sample Log Message

2017-09-25 23:27:36 eShopCart GET / X-ARR-LOG-ID=9b3056e8-21d5-43f7-8fd7-4aec6b29525e 80 - Mozilla/5.0+(Macintosh+NT+6.3;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/ PHPSESSID=tv2iv6tn8c9su542l464ibaro5;+ARRAffinity=d6c6606b1a249bd37139b09d6c2cb4dd61f6b5cd607f934012aca86bd59515444 - 200 0 0 3098 1008 1000

Query Sample

Traffic over time outlier

| parse regex "\d+-\d+-\d+ \d+:\d+:\d+ (?<s_sitename>\S+) (?<cs_method>\S+) (?<cs_uri_stem>\S+) (?<cs_uri_query>\S+) (?<src_port>\S+) (?<src_user>\S+) (?<client_ip>\S+) (?<cs_user_agent>\S+) (?<cs_cookie>\S+) (?<cs_referrer>\S+) (?<cs_host>\S+) (?<sc_status>\S+) (?<sc_substatus>\S+) (?<sc_win32_status>\S+) (?<sc_bytes>\S+) (?<cs_bytes>\S+) (?<time_taken>\S+)"
| timeslice 5m
| count by _timeslice
| outlier _count