What are the exact Log Analytics tables to query for Azure Firewall Logs. They are nowhere to be found in the doucmentation

Question

Every time I click logs from a resource in the Azure Portal, it drops me to Log Analytics and then I have absolutely no idea which tables to query which are specific for the resource that I've just come from. Why can't Microsoft display the relevant tables specific to the resource from which you have just clicked the Logs link instead of just dropping you into Log Analytics and letting you fend for yourself?

I am trying to look for Azure Firewall logs. As soon as I click Logs, I get dropped into Log Analytics with query packs. I've tried search for Azure Firewall but all of the queries are returning nothing even though my Diagnostic settings in the AFW are set to send all logs to LA. Apparently there are a new set of Azure Firewall logs but I'll be dammed if I can find them documented anywhere. Why is that? Why is the customer experience always the last thing that Microsoft Engineers think of?

Answer 1

Hi JohnSebastian-3934,

I hope I can help you with your complain, Azure Firewall logs are stored in specific tables in Log Analytics. To find them, you need to the firewall > monitoring > logs > Her you can identify all the data table that is logged from your azure firewall. You can select any of the existing queries or create your query based on the tables that you have.

Example for a Application rule query: (https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule)

AZFWApplicationRule
| where Action contains "Allow"
| take 100

It’s important to note that you need to correctly configure the diagnostic settings in the Azure Firewall to send logs to Log Analytics. If the diagnostic settings are not correctly configured, you won’t see the logs in Log Analytics, even if you’re querying the correct tables. (https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace#create-a-diagnostic-setting-and-enable-resource-specific-table)

Remember, it can take a few minutes for the data to appear in your logs after you turn on diagnostic logging. If you don’t see anything at first, check again in a few more minutes.

References:

• https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics
• https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/tables-category
• https://learn.microsoft.com/en-us/azure/azure-monitor/logs/manage-logs-tables?tabs=azure-portal
• https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs
• https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics
• https://techcommunity.microsoft.com/t5/azure-network-security-blog/exploring-the-new-resource-specific-structured-logging-in-azure/ba-p/3620530

If the information helped address your question, please Accept the answer.

Luis

Answer 2

While your answer is correct, when I go to the Azure Firewall->Monitoring->Logs I am dropped to a Log Analytics screen with a Queries hub screen. Trying to search for AZFW returns nothing under query packs. Searching for Firewall returns sample queries under Alerts, Firewwall Audit and Firewall Logs sections. Most of the queries that they run return no data for me because the queries are just wrong. They use AzureDiagnostics table instead of the newer tables. This is a mess. When I click Logs, what should show in the Log Analytics screen are ONLY the exact tables that are relevant for the exact version of the Azure Firewall from which I have have just clicked Logs, period. I shouldn't have to go searching and figuring out what I have to then query. If I'm clicking Logs from the Azure Firewall page, I would expect that engineers would understand that I am interested in looking at logs specific to my firewall and give me those tables right there in front of me. All the AZFW* tables should be listed. Instead your lousy UI makes me then fight to find what I need from Log Analytics. This is just poor design or lazy programming and very poor product management.Let me ask you, how would I know to query the table AZFWApplicationRule or how would I even know to look for tables named AWFW* when they are not documented with the Azure Firewall documentation? Currently under the Monitoring section of the Azure Firewall documentation they talk about (legacy) logs. Why are the new logs not documented? Why are the AWFW* tables not defined right there in the documentation?

Apparently there are a whole bunch of newer tables that are associated with the Azure Firewall all starting with AZFW..... I don't see them documented anywhere in the Azure Firewall documentation which is exactly where they should be documented. Instead, these tables are buried under an obscure Security section in this document: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/tables-category

If I put AZFW into the tables search I finally see them but my point from the start is how would I ever know to put AZFW into the search since there is no documentation for this?

Anyway you did answer my question so thank you for that.

Rant over...

Answer 3

@JohnSebastian-3934

Thank you for sharing the feedback above.

I understand the concern here and having more AZFW sample queries documented is a valid request here.

It will help if you could this as a content feedback on this documentation here.

I understand your question was already answered here, but just adding a flow below for community benefit which can help get to the documented sample queries quicker.

• I found that the best way to get to sample queries for structured firewall logs to go to this section of the documentation (https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#resource-specific-mode)
• Then click on the individual categories

• This will take you to AZFW* table documentation where a link to the sample query is provided in the Table attributes section

I understand this is not an ideal scenario and it will definitely help improve the documentation if you could share the content feedback shown above.

Please let me know if you have any questions. Thank you!