Azure App Service

Collect logs and metrics from Azure App Service with Elastic Agent.

What is an Elastic integration?
Version
0.4.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

What's this?
Security
Observability
Subscription level
What's this?
Basic
Level of support
What's this?
Elastic

The Azure App Service logs integration retrieves different types of logs categories from Azure App Service. Azure App Service provides different logging to help you track, monitor, and debug your web application.

  • HTTPLogs help monitor application health, performance and usage patterns.
  • AuditLogs provide insights when publishing users successfully log on via one of the App Service publishing protocols.
  • IPSecAuditLogs are generated through your application and pushed to Azure Monitoring.
  • PlatformLogs are generated through AppService platform for your application.
  • ConsoleLogs are generated from application or container.
  • AppLogs are generated through your application (ex. logging capabilities)

Data streams

This integration currently collects one data stream:

  • App Service Logs

Requirements

Credentials

eventhub : string Is the fully managed, real-time data ingestion service.

consumer_group : string The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: $Default

connection_string : string The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.

A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.

storage_account : string The name of the storage account the state/offsets will be stored and updated.

storage_account_key : string The storage account key, this key will be used to authorize access to data in your storage account.

resource_manager_endpoint : string Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: https://management.chinacloudapi.cn/ for azure ChinaCloud https://management.microsoftazure.de/ for azure GermanCloud https://management.azure.com/ for azure PublicCloud https://management.usgovcloudapi.net/ for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.

App Service Logs

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
azure.app_service.category
The category of the operation.
keyword
azure.app_service.container_id
Application container id
keyword
azure.app_service.event_ip_address
IP address of the event
keyword
azure.app_service.event_primary_stamp_name
Primary name of the service
keyword
azure.app_service.event_stamp_name
Name of the service
keyword
azure.app_service.event_stamp_type
Values that the service supports
keyword
azure.app_service.host
Host where the application is running
keyword
azure.app_service.level
Verbosity level of log
keyword
azure.app_service.log
Details about the event depending on level
keyword
azure.app_service.operation_name
The operation name.
keyword
azure.app_service.properties.client_ip
IP address of the client.
ip
azure.app_service.properties.client_port
IP address of the client.
long
azure.app_service.properties.computer_name
The name of the server on which the log file entry was generated.
keyword
azure.app_service.properties.cookie
Cookie on HTTP request.
keyword
azure.app_service.properties.cs_bytes
Number of bytes received by server.
long
azure.app_service.properties.cs_host
Host name header on HTTP request.
keyword
azure.app_service.properties.cs_method
keyword
azure.app_service.properties.cs_uri_query
URI query on HTTP request.
keyword
azure.app_service.properties.cs_uri_stem
The target of the request.
keyword
azure.app_service.properties.cs_username
The name of the authenticated user on HTTP request.
keyword
azure.app_service.properties.details
Additional information
keyword
azure.app_service.properties.protocol
Authentication protocol.
keyword
azure.app_service.properties.referer
The site that the user last visited. This site provided a link to the current site.
keyword
azure.app_service.properties.result
Success / Failure of HTTP request.
keyword
azure.app_service.properties.s_port
Server port number.
keyword
azure.app_service.properties.sc_bytes
Number of bytes sent by server.
long
azure.app_service.properties.sc_status
HTTP status code.
long
azure.app_service.properties.sc_substatus
Substatus error code on HTTP request.
keyword
azure.app_service.properties.sc_win32status
Windows status code on HTTP request.
keyword
azure.app_service.properties.service_endpoint
This indicates whether the access is via Virtual Network Service Endpoint communication
keyword
azure.app_service.properties.source_system
The source system
keyword
azure.app_service.properties.time_generated
Time of the Http Request
keyword
azure.app_service.properties.time_taken
Time taken by HTTP request in milliseconds.
long
azure.app_service.properties.type
The name of the table
keyword
azure.app_service.properties.user
Username used for publishing access.
keyword
azure.app_service.properties.user_agent
User agent on HTTP request.
keyword
azure.app_service.properties.user_display_name
Email address of a user in case publishing was authorized via AAD authentication.
keyword
azure.app_service.properties.xazurefdid
X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request
keyword
azure.app_service.properties.xfdhealth_probe
X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request
keyword
azure.app_service.properties.xforwarded_for
X-Forwarded-For header of the HTTP request
keyword
azure.app_service.properties.xforwarded_host
X-Forwarded-Host header of the HTTP request
keyword
azure.app_service.result_description
Log message description
keyword
azure.correlation_id
Correlation ID
keyword
azure.resource.authorization_rule
Authorization rule
keyword
azure.resource.group
Resource group
keyword
azure.resource.id
Resource ID
keyword
azure.resource.name
Name
keyword
azure.resource.namespace
Resource type/namespace
keyword
azure.resource.provider
Resource type/namespace
keyword
azure.subscription_id
Azure subscription ID
keyword
azure.tenant_id
tenant ID
keyword
data_stream.dataset
Data stream dataset name.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
dataset.name
Dataset name.
constant_keyword
dataset.namespace
Dataset namespace.
constant_keyword
dataset.type
Dataset type.
constant_keyword
geo.city_name
City name.
keyword
geo.continent_name
Name of the continent.
keyword
geo.country_iso_code
Country ISO code.
keyword
geo.country_name
Country name.
keyword
geo.location
Longitude and latitude.
geo_point
geo.name
User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
keyword
geo.region_iso_code
Region ISO code.
keyword
geo.region_name
Region name.
keyword

Changelog

VersionDetailsKibana version(s)

0.4.0

Enhancement View pull request
ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

0.3.0

Enhancement View pull request
Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values

0.2.1

Bug fix View pull request
Disable secrets for older stack versions due to errors.

0.2.0

Enhancement View pull request
Enable 'secret' for the sensitive fields, supported from 8.12.

0.1.0

Enhancement View pull request
Update the package format_version to 3.0.0.

0.0.1

Enhancement View pull request
Initial release

On this page