New

The executive guide to generative AI

Read more
About usPartnersSupport|Login
« Azure Activity Logs Azure Application Gateway Logs »
Elastic Docs Elastic integrations Azure Logs Integration

Azure App Service Integration

edit

Azure App Service Integration

edit

Version

0.6.0 [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. (View all)

Compatible Kibana version(s)

8.13.0 or higher
9.0.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

The Azure App Service logs integration retrieves different types of logs categories from Azure App Service. Azure App Service provides different logging to help you track, monitor, and debug your web application.

  • HTTPLogs help monitor application health, performance and usage patterns.
  • AuditLogs provide insights when publishing users successfully log on via one of the App Service publishing protocols.
  • IPSecAuditLogs are generated through your application and pushed to Azure Monitoring.
  • PlatformLogs are generated through AppService platform for your application.
  • ConsoleLogs are generated from application or container.
  • AppLogs are generated through your application (ex. logging capabilities)

Data streams

edit

This integration currently collects one data stream:

  • App Service Logs

Requirements

edit

Credentials

edit

eventhub : string Is the fully managed, real-time data ingestion service.

consumer_group : string The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: $Default

connection_string : string The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.

A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.

storage_account : string The name of the storage account the state/offsets will be stored and updated.

storage_account_key : string The storage account key, this key will be used to authorize access to data in your storage account.

resource_manager_endpoint : string Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: https://management.chinacloudapi.cn/ for azure ChinaCloud https://management.microsoftazure.de/ for azure GermanCloud https://management.azure.com/ for azure PublicCloud https://management.usgovcloudapi.net/ for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.

App Service Logs

edit

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields
Field Description Type

@timestamp

Event timestamp.

date

azure.app_service.category

The category of the operation.

keyword

azure.app_service.container_id

Application container id

keyword

azure.app_service.event_ip_address

IP address of the event

keyword

azure.app_service.event_primary_stamp_name

Primary name of the service

keyword

azure.app_service.event_stamp_name

Name of the service

keyword

azure.app_service.event_stamp_type

Values that the service supports

keyword

azure.app_service.host

Host where the application is running

keyword

azure.app_service.level

Verbosity level of log

keyword

azure.app_service.log

Details about the event depending on level

keyword

azure.app_service.operation_name

The operation name.

keyword

azure.app_service.properties.client_ip

IP address of the client.

ip

azure.app_service.properties.client_port

IP address of the client.

long

azure.app_service.properties.computer_name

The name of the server on which the log file entry was generated.

keyword

azure.app_service.properties.cookie

Cookie on HTTP request.

keyword

azure.app_service.properties.cs_bytes

Number of bytes received by server.

long

azure.app_service.properties.cs_host

Host name header on HTTP request.

keyword

azure.app_service.properties.cs_method

keyword

azure.app_service.properties.cs_uri_query

URI query on HTTP request.

keyword

azure.app_service.properties.cs_uri_stem

The target of the request.

keyword

azure.app_service.properties.cs_username

The name of the authenticated user on HTTP request.

keyword

azure.app_service.properties.details

Additional information

keyword

azure.app_service.properties.protocol

Authentication protocol.

keyword

azure.app_service.properties.referer

The site that the user last visited. This site provided a link to the current site.

keyword

azure.app_service.properties.result

Success / Failure of HTTP request.

keyword

azure.app_service.properties.s_port

Server port number.

keyword

azure.app_service.properties.sc_bytes

Number of bytes sent by server.

long

azure.app_service.properties.sc_status

HTTP status code.

long

azure.app_service.properties.sc_substatus

Substatus error code on HTTP request.

keyword

azure.app_service.properties.sc_win32status

Windows status code on HTTP request.

keyword

azure.app_service.properties.service_endpoint

This indicates whether the access is via Virtual Network Service Endpoint communication

keyword

azure.app_service.properties.source_system

The source system

keyword

azure.app_service.properties.time_generated

Time of the Http Request

keyword

azure.app_service.properties.time_taken

Time taken by HTTP request in milliseconds.

long

azure.app_service.properties.type

The name of the table

keyword

azure.app_service.properties.user

Username used for publishing access.

keyword

azure.app_service.properties.user_agent

User agent on HTTP request.

keyword

azure.app_service.properties.user_display_name

Email address of a user in case publishing was authorized via AAD authentication.

keyword

azure.app_service.properties.xazurefdid

X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request

keyword

azure.app_service.properties.xfdhealth_probe

X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request

keyword

azure.app_service.properties.xforwarded_for

X-Forwarded-For header of the HTTP request

keyword

azure.app_service.properties.xforwarded_host

X-Forwarded-Host header of the HTTP request

keyword

azure.app_service.result_description

Log message description

keyword

azure.correlation_id

Correlation ID

keyword

azure.resource.authorization_rule

Authorization rule

keyword

azure.resource.group

Resource group

keyword

azure.resource.id

Resource ID

keyword

azure.resource.name

Name

keyword

azure.resource.namespace

Resource type/namespace

keyword

azure.resource.provider

Resource type/namespace

keyword

azure.subscription_id

Azure subscription ID

keyword

azure.tenant_id

tenant ID

keyword

data_stream.dataset

Data stream dataset name.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

dataset.name

Dataset name.

constant_keyword

dataset.namespace

Dataset namespace.

constant_keyword

dataset.type

Dataset type.

constant_keyword

geo.city_name

City name.

keyword

geo.continent_name

Name of the continent.

keyword

geo.country_iso_code

Country ISO code.

keyword

geo.country_name

Country name.

keyword

geo.location

Longitude and latitude.

geo_point

geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

keyword

geo.region_iso_code

Region ISO code.

keyword

geo.region_name

Region name.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

0.6.0

Enhancement (View pull request)
Add support for Kibana 9.0.0.

0.5.0

Enhancement (View pull request)
Allow the usage of deprecated log input and support for stack 9.0

0.4.2

Enhancement (View pull request)
Add observability category.

0.4.1

Bug fix (View pull request)
Remove metrics reference from manifest.

0.4.0

Enhancement (View pull request)
ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

0.3.0

Enhancement (View pull request)
Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values

0.2.1

Bug fix (View pull request)
Disable secrets for older stack versions due to errors.

0.2.0

Enhancement (View pull request)
Enable secret for the sensitive fields, supported from 8.12.

0.1.0

Enhancement (View pull request)
Update the package format_version to 3.0.0.

0.0.1

Enhancement (View pull request)
Initial release

« Azure Activity Logs Azure Application Gateway Logs »

On this page

Was this helpful?
Feedback