Not receiving Firewall Diagnostic Data

Anonymous
2023-04-24T10:51:14.6366667+00:00

We have configured Diagnostics setting pointing to log analytics workspace, but unfortunately no receiving any data

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
581 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 48,096 Reputation points Microsoft Employee
    2023-04-24T13:06:53.6733333+00:00

    Hello @Anonymous ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you've configured diagnostics setting on your Azure Firewall pointing to log analytics workspace, but you are not receiving any data in your logs.

    It can take a few minutes for the data to appear in your logs after you complete the procedure to turn on diagnostic logging. If you've just configured the diagnostic setting and don't see anything in the logs, check again in a few more minutes.

    Below are few things that I would request you to try:

    Run a simple query to check if the log analytics is getting the data: AzureDiagnostics | Take 10

    If you see records from the above query, then run the following to see if there are any Firewall logs.

    AzureDiagnostics | where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"

    If you see records using the above query, start adding the other conditions as per your requirement.

    If you are trying to check Azure Structured Firewall Logs, then make sure you've enabled the structured logs by registering for the "AFWEnableStructuredLogs" feature as this feature is still in Preview.

    With this new feature, you'll be able to choose to use Resource Specific Tables instead of the existing AzureDiagnostics table. In case both sets of logs are required, at least two diagnostic settings need to be created per firewall.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#enabledisable-structured-logs

    https://learn.microsoft.com/en-gb/azure/azure-monitor/essentials/resource-logs?WT.mc_id=Portal-Microsoft_Azure_Monitoring#send-to-log-analytics-workspace

    If you have not enabled Azure Structured Firewall Logs, you will only get data for the Legacy Azure Diagnostics (if enabled) which are as below:

    • Azure Firewall Application Rule
    • Azure Firewall Network Rule
    • Azure Firewall DNS Proxy

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments