API Management Services no longer logs query parameters set via inbound policies

Question

API Management Services no longer logs query parameters set via inbound policies

Christopher Watford 1

Previously we used an stv1/standard APIM instance which had the following policy set on all APIs:

<policies>
  <inbound>
    <base />
    <set-query-parameter name="x-query-param" exists-action="override">
      <value>@(context.Request.Headers.GetValueOrDefault("x-header-name"))</value>
    </set-query-parameter>
...

When viewing logs within our Log Analytics workspace the BackendUrl property would contain this parameter tacked onto the end.

We recently created a brand new stv2/standard APIM instance with the SAME policy set. We now no longer receive x-query-param as a query parameter on the BackendUrl property as we would expect.

Why does this no longer work? Has there been a change to how policies function with an stv2/Standard instance?

JananiRamesh-MSFT 29,261 Reputation points

2024-10-09T16:37:50.04+00:00

@Christopher Watford Thanks for reaching out. I am looking into this will get back to you shortly.

1 answer

Your answer

JananiRamesh-MSFT 29,261 Reputation points

2024-10-09T16:37:50.04+00:00

@Christopher Watford Thanks for reaching out. I am looking into this will get back to you shortly.

Answer 1

JananiRamesh-MSFT 29,261

@Christopher Watford Thanks for your patience. The diagnostic settings in APIM do have special parameters like Data Masking that control how query parameters are logged.

You can mask or hide sensitive query parameters and headers in diagnostic logs. The hide setting will remove an entity, while mask setting will replace it with the word "hidden". Refer to the API endpoint documentation for more details.

do verify and let me know incase of further queries, I would be happy to assist you.

Christopher Watford 1 Reputation point

2024-10-11T12:21:49.59+00:00
We are not using this to capture requests in Log Analytics. We are using the following:

API Management Services -> Diagnostic Settings -> Add diagnostic setting

I've attached an image showing our current setup. This mirrors the older stv1 instance.
Christopher Watford 1 Reputation point

2024-10-11T12:23:49.2833333+00:00

This is not relevant unfortunately as we are not using those diagnostic settings to log requests from APIM.

We are using Diagnostic Settings to do this:

This is the same setup as our stv1 instance.
JananiRamesh-MSFT 29,261 Reputation points

2024-10-17T07:47:53.3566667+00:00
Christopher Watford Thanks for getting back, I am also referring to the same diagnostic settings however the configuration that i was referring above "Data masking" is not yet implemented in UI.

We have 2 options in data masking as shown below and by default it is hide enabled. You have to manage the above setting with Rest api call https://learn.microsoft.com/en-us/rest/api/apimanagement/diagnostic/create-or-update?view=rest-apimanagement-2024-05-01&tabs=HTTP#datamaskingmode

sample request body should be as below

{ "properties":{ "loggerId":"<your-logger-id>", "backend": { "request":{ "dataMasking":{ "queryParams":[{ "mode": "Mask", "value": "*" }] } } } } }

to get the logger id please use this rest api: https://learn.microsoft.com/en-us/rest/api/apimanagement/diagnostic/list-by-service?view=rest-apimanagement-2024-05-01&tabs=HTTP#datamaskingmode please update the api version as 2022-08-01 please refer sample logger id below

"loggerId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.ApiManagement/service/xxxxx/loggers/azuremonitor",

do let me know incase of further queries, I would be happy to assist you.
Christopher Watford 1 Reputation point

2024-10-17T15:06:41.7333333+00:00

I don't want to mask or hide these query parameters. I want the query parameters unmasked as they were in stv1.
Christopher Watford 1 Reputation point

2024-10-17T18:03:24.86+00:00

Also, running your suggested change:
{ "error": { "code": "ValidationError", "message": "One or more fields contain incorrect values:", "details": [ { "code": "ValidationError", "target": "loggerId", "message": "Diagnostic does not accept AzureMonitor logger" } ] } }
JananiRamesh-MSFT 29,261 Reputation points

2024-10-21T13:49:28.4133333+00:00

Christopher Watford Thanks for getting back, I had a discussion internally and confirmed that there is no change in the functionality both in stv1 and stv2. I am unable to repro this as I don't have stv1 instance in my subscription Hence, I request you to raise support ticket with Azure Technical Team so that team can connect 1:1 and assist you to resolve the issue you are facing. If you don't have a support plan, please let me know i can enable one-time free support for your subscription.
JananiRamesh-MSFT 29,261 Reputation points

2024-10-25T08:22:59.93+00:00

Christopher Watford Just a follow up to see if you were able to create a ticket with our support team. If any help is needed, let me know.

Share via

API Management Services no longer logs query parameters set via inbound policies

1 answer

Your answer