Tutorial: Monitor Azure Firewall logs and metrics
You can monitor Azure Firewall using firewall logs. You can also use activity logs to audit operations on Azure Firewall resources. Using metrics, you can view performance counters in the portal.
You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.
This article was recently updated to use the term Azure Monitor logs instead of Log Analytics. Log data is still stored in a Log Analytics workspace and is still collected and analyzed by the same Log Analytics service. We are updating the terminology to better reflect the role of logs in Azure Monitor. See Azure Monitor terminology changes for details.
In this tutorial, you learn how to:
- Enable logging through the Azure portal
- Enable logging with PowerShell
- View and analyze the activity log
- View and analyze the network and application rule logs
- View metrics
This article has been updated to use the new Azure PowerShell Az module. You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. For Az module installation instructions, see Install Azure PowerShell.
Before starting this tutorial, you should read Azure Firewall logs and metrics for an overview of the diagnostics logs and metrics available for Azure Firewall.
Enable diagnostic logging through the Azure portal
It can take a few minutes for the data to appear in your logs after you complete this procedure to turn on diagnostic logging. If you don't see anything at first, check again in a few more minutes.
In the Azure portal, open your firewall resource group and click the firewall.
Under Monitoring, click Diagnostic settings.
For Azure Firewall, two service-specific logs are available:
To start collecting data, click Turn on diagnostics.
The Diagnostics settings page provides the settings for the diagnostic logs.
In this example, Azure Monitor logs stores the logs, so type Firewall log analytics for the name.
Click Send to Log Analytics to configure your workspace. You can also use event hubs and a storage account to save the diagnostic logs.
Under Log Analytics, click Configure.
In the Log Analytics workspaces page, click Create New Workspace.
On the Log analytics workspace page, type firewall-oms for the new Log Analytics workspace name.
Select your subscription, use the existing firewall resource group (Test-FW-RG), select East US for the location, and select the Free pricing tier.
Click OK. OMS workspaces are now referred to as Log Analytics workspaces.
Under Log, click AzureFirewallApplicationRule and AzureFirewallNetworkRule to collect logs for application and network rules.
Enable logging with PowerShell
Activity logging is automatically enabled for every Resource Manager resource. Diagnostic logging must be enabled to start collecting the data available through those logs.
To enable diagnostic logging, use the following steps:
Note your storage account's resource ID, where the log data is stored. This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name>.
You can use any storage account in your subscription. You can use the Azure portal to find this information. The information is located in the resource Property page.
Note your Firewall's resource ID for which logging is enabled. This value is of the form: /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name>.
You can use the portal to find this information.
Enable diagnostic logging by using the following PowerShell cmdlet:
Set-AzDiagnosticSetting -ResourceId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Network/azureFirewalls/<Firewall name> ` -StorageAccountId /subscriptions/<subscriptionId>/resourceGroups/<resource group name>/providers/Microsoft.Storage/storageAccounts/<storage account name> ` -Enabled $true
Diagnostic logs do not require a separate storage account. The use of storage for access and performance logging incurs service charges.
View and analyze the activity log
You can view and analyze activity log data by using any of the following methods:
- Azure tools: Retrieve information from the activity log through Azure PowerShell, the Azure CLI, the Azure REST API, or the Azure portal. Step-by-step instructions for each method are detailed in the Activity operations with Resource Manager article.
- Power BI: If you don't already have a Power BI account, you can try it for free. By using the Azure Activity Logs content pack for Power BI, you can analyze your data with preconfigured dashboards that you can use as is or customize.
View and analyze the network and application rule logs
Azure Monitor logs collects the counter and event log files. It includes visualizations and powerful search capabilities to analyze your logs.
For Azure Firewall log analytics sample queries, see Azure Firewall log analytics samples.
You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.
If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the log converter tools available from GitHub.
Browse to an Azure Firewall, under Monitoring click Metrics. To view the available values, select the METRIC drop-down list.
Now that you've configured your firewall to collect logs, you can explore Azure Monitor logs to view your data.