Share via

[Azure App Service] Diagnostics App Settings & Key Vault References

Cosmin Stirbu 171 Reputation points
2021-08-30T08:54:41.053+00:00

Hello,

When you enable Application Logging and Web server logging using a Storage account via the UI, the following App Settings are added automatically in the Configuration section:

DIAGNOSTICS_AZUREBLOBCONTAINERSASURL
DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS
WEBSITE_HTTPLOGGING_CONTAINER_URL
WEBSITE_HTTPLOGGING_RETENTION_DAYS

The issue is that DIAGNOSTICS_AZUREBLOBCONTAINERSASURL and WEBSITE_HTTPLOGGING_CONTAINER_URL contain a SAS token which is sensitive information and shouldn't pe stored in plain text.

Therefore I have moved them in Key Vault and changed them to use Key Vault reference (@Microsoft.KeyVault) - however now the App Service logs section doesn't indicate that Application Logging and Web server logging using a Storage account is enabled.

Also, if I go to https://resources.azure.com/ on the App Service -> config -> logs it also seems that hey are not enabled. 

  "properties": {  
    "applicationLogs": {  
      "fileSystem": {  
        "level": "Off"  
      },  
      "azureTableStorage": {  
        "level": "Off",  
        "sasUrl": null  
      },  
      "azureBlobStorage": {  
        "level": "Information",  
        "sasUrl": null,  
        "retentionInDays": 90  
      }  
    },  
    "httpLogs": {  
      "fileSystem": {  
        "retentionInMb": 100,  
        "retentionInDays": 90,  
        "enabled": true  
      },  
      "azureBlobStorage": {  
        "sasUrl": null,  
        "retentionInDays": 90,  
        "enabled": false  
      }  
    },  
    "failedRequestsTracing": {  
      "enabled": true  
    },  
    "detailedErrorMessages": {  
      "enabled": true  
    }  
  }

Interestingly enough, even if the UI and https://resources.azure.com/ indicates the logging is disabled, I can actually see in the storage account container that the Application Logs are coming through. I can't see Web server logs though, not sure if this is because of the Key Vault reference configuration or because of some other reason.

127528-screenshot-2021-08-30-at-114348.png
127565-screenshot-2021-08-30-at-114335.png

Thank you,
Cosmin

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,452 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,968 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ryan Hill 30,281 Reputation points Microsoft Employee Moderator
    2021-08-31T20:56:15.023+00:00

    Hi @Cosmin Stirbu ,

    While did experience the same portal experience as you stated above, I am able to see to both my application and web server logs in my storage account (see attached image). When using Key Vault, two different folders, same name matching the app service, just one capitalized; were created for me. My environment is Windows host, .NET Core application, as web server logging isn't supported on Linux host.

    128017-image.png

    The one with the longer shorter file name was my web server logs, while the one with longer file name was the application log. The portal doesn't handle this workflow because when I did it, the web server log shows up as File System, irregardless if you move the toggle to Blob and leave it unconfigured. This is feedback I'll pass along to the team. If you're still not seeing both folders, I would suggest using two separate blob containers the folder names generated come from your app service and can't be changed.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.