Front door log queries fail for firewalllog

Richard Butler 1 Reputation point
2021-02-19T11:51:41.55+00:00

All queries for errors seam to fail. / Top 20 blocked clients by IP and rule // Show top 20 blocked clients by IP and rule name. // Summarize top 20 blocked clients by IP and rule AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog" | where action_s == "Block" | summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s ,Resource | top 20 by RequestCount | order by RequestCount desc results in a message 'where' operator: Failed to resolve column or scalar expression named 'action_s' If issue persists, please open a support ticket. Request id: 11bc8fa2-091b-4ddc-bf54-f14fc1236911

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
614 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. suvasara-MSFT 10,016 Reputation points
    2021-02-22T10:57:51.52+00:00

    @Richard Butler , Looks like the WAF logs are not yet created. The error indicated that the table doesn't contains the given parameters. Please do change the timestamp value to longer period and try again. Also, to generate WAF logs pass any traffic that hits the WAF. Please note that WAF logs are generated only when the request hits the ruleset.
    Hope this helps!

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.