Azure Resource Manager¶
About¶
Azure resource logs are platform logs that provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. Resource logs are not collected by default. A diagnostic setting must be created for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure Storage for archiving.
Product Details¶
Vendor URL: Azure Monitor Overview
Product Type: SaaS
Product Tier: Tier III
Integration Method: Custom
Integration URL: N/A
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: TBD
Data Label: AZURE_RESOURCE_LOGS
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
record.category | metadata.product_event_type |
record.Host | observer.hostname |
record.resultDescription | metadata.description |
Defined | metadata.event_type |
resourceId | principal.hostname |
UserAgent | network.http.user_agent |
ScStatus | network.http.response_code |
Referer | network.http.referral_url |
CsMethod | network.http.method |
CsUsername | principal.user.userid |
SPort | target.port |
CsHost | target.hostname |
CsBytes | network.received_bytes |
ScBytes | network.sent_bytes |
Microsoft | metadata.vendor_name |
Azure_Resource_Log | metadata.product_name |
record.EventIpAddress | observer.ip |
Log Sample¶
{\"records\":[{\"resultDescription\":\"Problemwithdirectory[/home/tomcat/lib],
exists:[false],
isDirectory:[false],
canRead:[false]\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:27.005Z\",
\"level\":\"Warning\",
\"properties\":\"{\"level\":\"WARNING\",
\"resourceId\":\"device.domain.com\",
\"source\":\"xxxxxxx\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxxx\",
\"method\":\"validateFile\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"Problemwithdirectory[/home/tomcat/lib],
exists:[false],
isDirectory:[false],
canRead:[false]\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:27.225Z\",
\"level\":\"Warning\",
\"properties\":\"{\"level\":\"WARNING\",
\"resourceId\":\"xxxxx.domain.com\",
\"source\":\"xxxxxxxxx\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxx\",
\"method\":\"validateFile\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"Serverversionname:ApacheTomcat/9.0.37\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.520Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxxxxx\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxx\"},
{\"resultDescription\":\"Serverbuilt:Jun30202020:09:49UTC\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.526Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxxx\",
\"EventStampName\":\"xxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxx\"},
{\"resultDescription\":\"Serverversionnumber:9.0.37.0\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.539Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"OSName:Linux\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.542Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxxxx\",
\"EventStampName\":\"xxxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"}]}
Sample Parsing¶
metadata.event_timestamp "2021-07-29T15:17:22Z"
metadata.event_type "NETWORK_CONNECTION"
metadata.vendor_name "Microsoft"
metadata.product_name "Azure_Resource_Log"
metadata.product_event_type "AppServiceHTTPLogs"
metadata.description "Response Code:200 - OK - Standard response for successful HTTP requests. "
metadata.ingested_timestamp "2021-07-29T15:18:12.162940Z"
principal.user.userid "-"
principal.ip[0] "10.10.10.10"
target.hostname "website.domain.com"
target.port 80
observer.hostname "servername"
observer.ip[0] "10.10.11.11"
network.sent_bytes "467"
network.received_bytes "1124"
network.http.method "GET"
network.http.referral_url "-"
network.http.response_code 200
Parser Alerting¶
This product currently does not have any Parser-based Alerting