firewall logs are not working. I can't make any query

Pawel Wilusz 1 Reputation point
2022-11-11T21:34:24.193+00:00

259656-image.png

does anyone know what could be the reason why I cannot execute any query?

Thank you

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
570 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pawel Wilusz 1 Reputation point
    2022-11-17T13:30:04.83+00:00

    Hi,
    Sorry for late response, it was a couple crazy day at work for me.
    This query bellow it's one of the example. It's working in another firewall with any issues.
    Thank you

    // Application rule log data
    // Parses the application rule log data.
    AzureDiagnostics
    | where Category == "AzureFirewallApplicationRule"
    //this first parse statement is valid for all entries as they all start with this format
    | parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int *
    //Parse action as this is the same for all log lines
    | parse kind=regex flags=U msg_s with * ". Action\: " Action "\."
    // case1: Action: A. Reason: R.
    | parse kind=regex flags=U msg_s with "\. Reason\: " Reason "\."
    //case 2a: to FQDN:PORT Url: U. Action: A. Policy: P. Rule Collection Group: RCG. Rule Collection: RC. Rule: R.
    | parse msg_s with * "to " FQDN ":" TargetPort:int * "." *
    //Parse policy if present
    | parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
    | parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
    //case 2.b: Web Category: WC.
    | parse Rule with * ". Web Category: " WebCategory
    //case 3: No rule matched. Proceeding with default action"
    | extend DefaultRule = iff(msg_s contains "No rule matched. Proceeding with default action", true, false)
    | extend
    SourcePort = tostring(SourcePort),
    TargetPort = tostring(TargetPort)
    | extend
    Action = case(Action == "","N/A", case(DefaultRule, "Deny" ,Action)),
    FQDN = case(FQDN == "", "N/A", FQDN),
    TargetPort = case(TargetPort == "", "N/A", tostring(TargetPort)),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,case(Policy == "", "N/A", Policy)),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup)),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], case(RuleCollection == "", "N/A", RuleCollection)),
    WebCategory = case(WebCategory == "", "N/A", WebCategory),
    Rule = case(Rule == "" , "N/A", case(WebCategory == "N/A", Rule, split(Rule, '.')[0])),
    Reason = case(Reason == "", case(DefaultRule, "No rule matched - default action", "N/A"), Reason )
    | project TimeGenerated, msg_s, Protocol, SourceIP, SourcePort, FQDN, TargetPort, Action, Policy, RuleCollectionGroup, RuleCollection, Rule, Reason ,WebCategory

    0 comments
  2. KapilAnanth-MSFT 35,251 Reputation points Microsoft Employee
    2022-11-18T12:48:14.42+00:00

    Hi @Pawel Wilusz ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you are facing issues in Azure Firewall Logs.

    From the error message, it appears that Azure is unable to parse "msg_s" in Azure Firewall Logs query

    Can you please enable the features, AFWEnableNetworkRuleNameLogging and AFWEnableStructuredLogs following this document

    Post this, kindly do a Put operation on your firewall, like adding a dummy rule and deleting it.

    Give it a few hours and try to run the query once again.
    Let me know if this helps.

    Thanks,
    Kapil

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.