Skip to content

Azure Resource Manager

Azure Resource Manager

About

Azure resource logs are platform logs that provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. Resource logs are not collected by default. A diagnostic setting must be created for each Azure resource to send its resource logs to a Log Analytics workspace to use with Azure Monitor Logs, Azure Event Hubs to forward outside of Azure, or to Azure Storage for archiving.

Product Details

Vendor URL: Azure Monitor Overview

Product Type: SaaS

Product Tier: Tier III

Integration Method: Custom

Integration URL: N/A

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: TBD

Data Label: AZURE_RESOURCE_LOGS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
record.category metadata.product_event_type
record.Host observer.hostname
record.resultDescription metadata.description
Defined metadata.event_type
resourceId principal.hostname
UserAgent network.http.user_agent
ScStatus network.http.response_code
Referer network.http.referral_url
CsMethod network.http.method
CsUsername principal.user.userid
SPort target.port
CsHost target.hostname
CsBytes network.received_bytes
ScBytes network.sent_bytes
Microsoft metadata.vendor_name
Azure_Resource_Log metadata.product_name
record.EventIpAddress observer.ip

Log Sample

{\"records\":[{\"resultDescription\":\"Problemwithdirectory[/home/tomcat/lib],
exists:[false],
isDirectory:[false],
canRead:[false]\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:27.005Z\",
\"level\":\"Warning\",
\"properties\":\"{\"level\":\"WARNING\",
\"resourceId\":\"device.domain.com\",
\"source\":\"xxxxxxx\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxxx\",
\"method\":\"validateFile\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"Problemwithdirectory[/home/tomcat/lib],
exists:[false],
isDirectory:[false],
canRead:[false]\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:27.225Z\",
\"level\":\"Warning\",
\"properties\":\"{\"level\":\"WARNING\",
\"resourceId\":\"xxxxx.domain.com\",
\"source\":\"xxxxxxxxx\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxx\",
\"method\":\"validateFile\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"Serverversionname:ApacheTomcat/9.0.37\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.520Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"xxxxxxxxxx\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxx\",
\"Host\":\"xxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxx\"},
{\"resultDescription\":\"Serverbuilt:Jun30202020:09:49UTC\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.526Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxxx\",
\"EventStampName\":\"xxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxx\"},
{\"resultDescription\":\"Serverversionnumber:9.0.37.0\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.539Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxx\",
\"EventStampName\":\"xxxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"},
{\"resultDescription\":\"OSName:Linux\",
\"resourceId\":\"/SUBSCRIPTIONS/xxxxxxxxxx/RESOURCEGROUPS/PROD-WM-CENTRALFILL-RG1/PROVIDERS/MICROSOFT.WEB/SITES/xx-xxxxxxxxx-S\",
\"operationName\":\"Microsoft.Web/sites/log\",
\"category\":\"AppServiceAppLogs\",
\"time\":\"2021-05-07T14:16:28.542Z\",
\"level\":\"Informational\",
\"properties\":\"{\"level\":\"INFO\",
\"resourceId\":\"server.domain.com\",
\"source\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"webSiteInstanceId\":\"xxxxxxxxx\",
\"logger\":\"org.apache.catalina.startup.VersionLoggerListener\",
\"method\":\"log\"}\",
\"EventStampType\":\"MiniStamp\",
\"EventPrimaryStampName\":\"xxxxxxxxxx\",
\"EventStampName\":\"xxxxxxxxxx\",
\"Host\":\"xxxxxxxxx\",
\"EventIpAddress\":\"xxxxxxxxx\"}]}

Sample Parsing

metadata.event_timestamp "2021-07-29T15:17:22Z"
metadata.event_type "NETWORK_CONNECTION"
metadata.vendor_name "Microsoft"
metadata.product_name "Azure_Resource_Log"
metadata.product_event_type "AppServiceHTTPLogs"
metadata.description "Response Code:200 - OK - Standard response for successful HTTP requests. "
metadata.ingested_timestamp "2021-07-29T15:18:12.162940Z"
principal.user.userid "-"
principal.ip[0] "10.10.10.10"
target.hostname "website.domain.com"
target.port 80
observer.hostname "servername"
observer.ip[0] "10.10.11.11"
network.sent_bytes "467"
network.received_bytes "1124"
network.http.method "GET"
network.http.referral_url "-"
network.http.response_code 200

Parser Alerting

This product currently does not have any Parser-based Alerting