When running applications on Azure, ensuring security and performance is paramount. Azure Web Application Firewall (WAF) and Application Gateway generate extensive logs that help diagnose security threats, server failures, and performance bottlenecks. But how do you extract meaningful insights from these logs? The answer lies in Kusto Query Language (KQL).
In this blog post, I’ll guide you through some powerful KQL queries to analyze WAF logs and detect failures in Azure Application Gateway. Whether you’re a security analyst or a DevOps engineer, these queries will help you troubleshoot issues like a pro!
π₯ Detecting Blocked Requests by WAF
Azure WAF is designed to protect your applications from malicious requests. But how do you check if legitimate users are getting blocked?
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayFirewallLog"
| where action_s == "Block"
| project TimeGenerated, clientIp_s, requestUri_s, ruleName_s, details_data_s
| order by TimeGenerated desc
π οΈ How This Helps:
Identifies requests that were blocked by WAF.
Helps fine-tune WAF rules to reduce false positives.
Tracks client IPs and URLs being flagged as threats.
π¨ Identifying Application Gateway Failures
Application Gateway failures can be catastrophic for your users. If your app is throwing HTTP 500 errors, you need to know why.
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
| where httpStatus_d >= 500
| project TimeGenerated, requestUri_s, httpStatus_d, backendPoolName_s,backendSettingName_s, host_s
| order by TimeGenerated desc
π οΈ Why This Query is Important:
Helps identify server-side failures.
Detects backend servers that may be down.
Quickly find affected URLs and services.
β‘ Uncovering High Latency Requests
Nobody likes a slow website. If users experience delays, they might leave your site frustrated. This query helps find slow API responses.
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayPerformanceLog"
| where timeTaken_d > 3000 // Requests taking more than 3 seconds
| project TimeGenerated, requestUri_s, timeTaken_d, clientIp_s, host_s
| order by timeTaken_d desc
π οΈ What You Gain:
Detects slow requests causing performance issues.
Identifies whether the delay is from the backend or frontend.
Helps optimize server response times.
π΅οΈ Tracking WAF Logs for a Specific Client IP
Want to investigate if a particular user or bot is getting blocked? This query is your best friend!
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayFirewallLog"
| where clientIp_s == "X.X.X.X" // Replace with actual client IP
| order by TimeGenerated desc
π οΈ Why Use This:
Track a specific user experiencing access issues.
Identify potential attackers trying to breach security.
Debug WAF rule misconfigurations.
π Detecting Backend Failures in App Gateway
Application Gateway connects to backend servers. If the backend is failing, requests will not be processed correctly.
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS"
| where Category == "ApplicationGatewayAccessLog"
| where httpStatus_d <> "200"
| where requestUri_s = "/status-0123456789abcdef"
| project TimeGenerated, requestUri_s, httpStatus_d, backendPoolName_s, backendSettingName_s, host_s
| order by TimeGenerated desc
π οΈ Key Insights:
Detects backend servers going offline.
Helps analyze downtime patterns.
Prevents cascading failures in multi-server deployments.
Final Thoughts
Mastering KQL can transform the way you troubleshoot and secure your Azure infrastructure. Whether you’re dealing with WAF security issues, slow applications, or backend failures, these queries will make your life easier.
So, next time your boss asks, “Why is our app slow?” or “Why did a request get blocked?”, you know exactly where to look!
π Have a favorite KQL query for Azure logs? Drop it in the comments below!
Techy Chalkboard in bits and pieces 