Azure Firewall Structured Logs for Monitoring and Analysis

Azure Firewall provides structured logs that can be used for monitoring and analysis. These logs are a valuable resource for understanding network traffic and identifying potential security threats.

Azure Firewall logs are stored in Azure Monitor, which allows for easy access and analysis. The logs can be queried using Azure Monitor's query language, Kusto Query Language (KQL).

Structured logs from Azure Firewall contain detailed information about network traffic, including source and destination IP addresses, ports, and protocols. This information can be used to identify potential security risks and troubleshoot network issues.

For your interest: Azure Monitor vs Log Analytics

Azure Firewall logs are a crucial aspect of monitoring and analyzing traffic in your Azure environment. Structured logs are a type of log data that are organized in a specific format, making it easy to search, filter, and analyze.

There are three diagnostic log categories available for Azure Firewall: Application rule log, Network rule log, and DNS proxy log. These log categories use Azure diagnostics mode, which collects all data from any diagnostic setting in the AzureDiagnostics table.

You might enjoy: Azure Data Studio vs Azure Data Explorer

To enable structured logs, you must configure a Log Analytics workspace in your Azure subscription. This workspace stores the structured logs generated by Azure Firewall.

Structured logs provide a more detailed view of firewall events, including source and destination IP addresses, protocols, port numbers, and action taken by the firewall. They also include metadata such as the time of the event and the name of the Azure Firewall instance.

You can choose to use Resource Specific Tables instead of the existing AzureDiagnostics table. However, if you need both sets of logs, you'll need to create at least two diagnostic settings per firewall.

Here are the three diagnostic log categories for Azure Firewall:

These logs can be saved to a storage account, streamed to Event hubs, or sent to Azure Monitor logs.

Structured log queries are a powerful tool in Azure Firewall. They allow you to extract specific information from your logs, making it easier to analyze and troubleshoot issues.

Predefined queries are available in the Azure portal, including a predefined KQL (Kusto Query Language) log query for each category. This makes it easy to get started with querying your logs.

These queries can be used to retrieve logs related to specific events, such as application rule logs or network rule logs. For example, you can use the predefined query to retrieve logs related to Azure Firewall application rules, including essential fields like TimeGenerated, FQDN, and Action.

Here are some examples of predefined queries available in the Azure portal:

With these queries, you can quickly and easily retrieve the information you need to troubleshoot issues and monitor your Azure Firewall.

To create a firewall metrics alert, you'll need to browse to the workspace configured in the metrics diagnostics settings.

Check if metrics are available using a query.

If you want to track receiving firewall metrics without any failures, create an alert for missing metrics over a time period of 60 minutes.

To set up new alerts on missing metrics, browse to the Alert page in the log analytics workspace.

Take a look at this: Azure Log Analytics Workspace

Structured log queries are a powerful tool for analyzing Azure Firewall logs. You can access a list of predefined queries in the Azure portal that includes a KQL (Kusto Query Language) log query for each category.

These queries can be used to show the entire Azure firewall logging events in a single view. You can also use the Azure portal to create custom queries to suit your specific needs.

Predefined queries are available for application rule logs, network rule logs, and DNS proxy logs. Each query is specifically designed to extract relevant information from the corresponding log category.

To use a predefined query, simply navigate to the Azure portal, select the relevant log category, and click on the "Query" button. The query will be executed and the results will be displayed in a table format.

If you prefer to create your own custom queries, you can use the KQL language to specify the fields and conditions you want to extract from the logs. The Azure portal provides a query builder tool that can help you construct your query.

Here is a list of the predefined queries available for each log category:

These predefined queries can be used as a starting point for your own custom queries. You can modify them to suit your specific needs and extract the information that is most relevant to your analysis.

Azure Firewall has been a game-changer for network security, and recently, Microsoft announced some exciting updates.

Azure Firewall's structured logs are now available in Azure Monitor, allowing for easier analysis and troubleshooting.

The new Azure Firewall logs are designed to be more efficient, with a smaller file size and faster query times.

With Azure Firewall's structured logs, you can now see detailed information about each packet, including source and destination IP addresses, ports, and protocols.

The logs are also now available in a more standardized format, making it easier to integrate with other tools and services.

Azure Firewall's new features include support for multiple log formats and improved filtering capabilities.

This makes it easier to manage and analyze large volumes of log data.