Configure Azure DDoS Protection diagnostic logging through portal
Configure diagnostic logging for Azure DDoS Protection to gain visibility into DDoS attacks.
In this tutorial, you learn how to:
- Configure diagnostic logs.
- Query logs in log analytics workspace.
Prerequisites
- If you don't have an Azure subscription, create a free account before you begin.
- Before you can complete the steps in this guide, you must first create a Azure DDoS protection plan. DDoS Network Protection must be enabled on a virtual network or DDoS IP Protection must be enabled on a public IP address.
- In order to use diagnostic logging, you must first create a Log Analytics workspace with diagnostic settings enabled.
- DDoS monitors public IP addresses assigned to resources within a virtual network. If you don't have any resources with public IP addresses in the virtual network, you must first create a resource with a public IP address. You can monitor the public IP address of all resources deployed through Resource Manager (not classic) listed in Virtual network for Azure services (including Azure Load Balancers where the backend virtual machines are in the virtual network), except for Azure App Service Environments. To continue with this guide, you can quickly create a Windows or Linux virtual machine.
Configure diagnostic logs
Sign in to the Azure portal.
In the search box at the top of the portal, enter Monitor. Select Monitor in the search results.
Select Diagnostic Settings under Settings in the left pane, then select the following information in the Diagnostic settings page. Next, select Add diagnostic setting.
Setting Value Subscription Select the Subscription that contains the public IP address you want to log. Resource group Select the Resource group that contains the public IP address you want to log. Resource type Select Public IP Addresses. Resource Select the specific Public IP address you want to log metrics for. On the Diagnostic setting page, under Destination details, select Send to Log Analytics workspace, then enter the following information, then select Save.
Setting Value Diagnostic setting name Enter myDiagnosticSettings. Logs Select allLogs. Metrics Select AllMetrics. Destination details Select Send to Log Analytics workspace. Subscription Select your Azure subscription. Log Analytics Workspace Select myLogAnalyticsWorkspace.
Query Azure DDOS Protection logs in log analytics workspace
For more information on log schemas, see View diagnostic logs.
DDoSProtectionNotifications logs
Under the Log analytics workspaces blade, select your log analytics workspace.
Under General, select on Logs
In Query explorer, type in the following Kusto Query and change the time range to Custom and change the time range to last three months. Then hit Run.
AzureDiagnostics | where Category == "DDoSProtectionNotifications"To view DDoSMitigationFlowLogs change the query to the following and keep the same time range and hit Run.
AzureDiagnostics | where Category == "DDoSMitigationFlowLogs"To view DDoSMitigationReports change the query to the following and keep the same time range and hit Run.
AzureDiagnostics | where Category == "DDoSMitigationReports"
Validate
In the search box at the top of the portal, enter Monitor. Select Monitor in the search results.
Select Diagnostic Settings under Settings in the left pane, then select the following information in the Diagnostic settings page:
Setting Value Subscription Select the Subscription that contains the public IP address. Resource group Select the Resource group that contains the public IP address. Resource type Select Public IP Addresses. Confirm your Diagnostic status is Enabled.
Next steps
In this tutorial you learned how to configure diagnostic logging for DDoS Protection. To learn how to configure diagnostic logging alerts, continue to the next article.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for