Skip to content

Centralized logging

Application Logs

Application logs in Azure refer to the logs generated by applications deployed in Azure services such as Azure Virtual Machines, Azure App Service, Azure Functions, and Azure Kubernetes Service (AKS). These logs contain information about the application's behavior, events, errors, and other relevant details that help in monitoring, troubleshooting, and understanding application performance.

Key Aspects

  • Application-specific Information
    Application logs capture information specific to the application's behavior and events. This can include application-level events, exceptions, warnings, requests, responses, and custom log messages generated by the application code.
  • Customization and Granularity
    Developers can customize the format, verbosity, and content of application logs based on their specific requirements. This allows developers to include relevant details and context to aid in troubleshooting and monitoring.
  • Integration with Azure Services
    Azure provides various services and tools that can consume and analyze application logs. For example, Azure Monitor can collect and analyze logs from multiple Azure services, including application logs. It offers features like log search, alerting, and visualization to monitor application performance and diagnose issues.
  • Storage and Retention
    Application logs can be stored in Azure Storage or other log storage solutions like Azure Monitor Logs, Azure Log Analytics, or Azure Event Hubs. The retention period for application logs can be configured based on your needs.
  • Centralized Access and Analysis
    Azure provides centralized access to application logs, allowing administrators and developers to access and analyze logs from multiple applications and services in a unified manner. This simplifies log management and troubleshooting across the Azure environment.
  • Integration with Logging Frameworks
    Azure supports various logging frameworks and libraries that can be used to generate application logs, such as Serilog, Log4Net, and NLog. These frameworks provide additional capabilities for log formatting, filtering, and routing.

Application logs are vital for monitoring the health and performance of applications running in Azure. They help in identifying and diagnosing issues, understanding application behavior, and optimizing performance.
By leveraging the rich ecosystem of Azure services and tools, developers and administrators can effectively utilize application logs to gain insights and improve the overall reliability of their applications.

Defender Logs

Azure Defender logs are a collection of security-related logs generated by the Azure Defender service, which is a built-in security solution provided by Microsoft Azure. Azure Defender helps protect Azure resources by providing advanced threat protection, vulnerability management, and security alerts for various Azure services.

Key Aspects

  • Security Alerts

    Azure Defender generates security alerts when it detects suspicious or malicious activities that indicate potential security breach or threats. These alerts are based on threat intelligence, behavioral analysis, and anomaly detection techniques.

  • Threat Intelligence

    Azure Defender logs provide insights into known threats and attack patterns. They can include information about known malware, exploits, vulnerabilities, and indicators of compromise (IoCs).

  • Vulnerability Management

    Azure Defender logs can include information about vulnerabilities detected in Azure resources. This includes details about vulnerable software versions, missing security patches, and recommended remediation steps.

  • Network Traffic Analysis

    Azure Defender logs may capture network traffic patterns, including inbound and outbound connections, source and destination IP addresses, ports, protocols, and anomalies in network behavior.

  • Identity and Access Management

    Azure Defender logs can provide visibility into user activities, authentication events, access requests, and identity-related anomalies. This helps in monitoring and securing user access to Azure resources.

  • Integration with Azure Sentinel

    Azure Defender logs can be seamlessly integrated with Azure Sentinel, which is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution.

  • Azure Sentinel enables advanced security analytics, threat hunting, and automated response workflows based on Azure Defender logs.

  • Azure Defender logs are critical for monitoring and responding to security incidents, detecting and mitigating threats, and maintaining the security posture of Azure resources. They provide valuable insights into the security landscape and help in identifying vulnerabilities and security risks within your Azure environment.

  • By analyzing and correlating Azure Defender logs with other security data sources, organizations can enhance their security operations and proactively defend against evolving threats.

Netflow Logs

NSG (Network Security Group) flow logs are a feature in Microsoft Azure that provides detailed visibility into network traffic flowing through Network Security Groups. NSGs act as virtual firewalls, allowing you to control inbound and outbound traffic to Azure resources such as virtual machines, subnets, and network interfaces.
NSG flow logs capture information about the network traffic that is either allowed or denied by the NSG rules. These logs contain valuable insights into the source and destination IP addresses, ports, protocols, traffic direction, and other metadata associated with network connections.

Displays information about ingress and egress IP traffic through a Network Security Group.

Key aspects of NSG flow logs

  • Log Format NSG flow logs are stored in Azure Storage as Azure Network Watcher flow logs. They are stored in either JSON or CSV format.
  • Traffic Information NSG flow logs provide details about the network traffic, including the source and destination IP addresses, source and destination ports, protocol (TCP/UDP), traffic direction (inbound/outbound), and other relevant metadata.
  • Flow State NSG flow logs indicate whether the traffic flow is allowed or denied based on the NSG rules.
  • Timestamps Each log entry in NSG flow logs includes a timestamp indicating when the traffic flow occurred.
  • Storage Options NSG flow logs can be stored in Azure Storage accounts. You can choose to store the logs in the storage account associated with the Azure region where the NSG resides or in a different storage account.
  • Retention and Archiving NSG flow logs can be retained for up to 365 days. You can configure log retention settings to determine how long the logs are retained.
NSG flow logs are useful for various scenarios, including network monitoring, troubleshooting network connectivity issues, auditing network traffic patterns, and analyzing security events. By analyzing NSG flow logs, you can gain insights into network traffic behavior, identify potential security risks, and optimize network performance within your Azure environment.

References
- Network-watcher-nsg-flow-logging-overview
- NSG-flow-logs-policy-portal

VM Logs

Azure VM logs refer to the collection of various types of logs generated by virtual machines (VMs) running on the Microsoft Azure cloud platform.
These logs contain valuable information about the activities and events occurring within the VM, allowing administrators and developers to monitor and troubleshoot their VMs effectively.

Azure VM logs can include

  • System Logs
    capture system-level events such as VM startup and shutdown, changes to system configuration, and hardware-related issues. System logs provide insights into the overall health and performance of the VM.
  • Security Logs
    record security-related events such as login attempts, privilege escalation, and access control changes. These logs are crucial for identifying potential security breaches, unauthorized access, and other security incidents.
  • Application Logs
    are generated by the applications running within the VM. They contain information about application-specific events, errors, and warnings. Application logs help diagnose application-level issues and optimize performance.
  • Diagnostic Logs
    provide detailed information about the VM's resource usage, performance metrics, and operational status. They can include CPU and memory usage, network traffic, disk I/O, and other performance-related data.
  • Azure Monitor Logs
    are collected and aggregated from various sources, including Azure VMs. These logs can be analyzed using Azure Monitor and other monitoring tools to gain insights into VM performance, availability, and issues.
  • Guest OS Logs
    contain information specific to the operating system running within the VM. These logs can include system events, application logs, security events, and other details related to the guest OS.
Azure VM logs are typically stored centrally in Azure Storage or Azure Log Analytics. They can be accessed and analyzed using Azure Monitor, Azure Log Analytics, or other monitoring and logging tools available in the Azure ecosystem. By reviewing these logs, administrators and developers can identify issues, track performance, and ensure the smooth operation of their Azure VMs.