› ›

Azure Frontdoor Logs Integration

Version	2.2.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher 9.0.0 or higher
Supported Serverless project types What’s this?	Security Observability
Subscription level What’s this?	Basic
Level of support What’s this?	Community

The azure frontdoor logs integration retrieves different types of log data from AFD. Azure Front Door provides different logging to help you track, monitor, and debug your Front Door.

Access logs have detailed information about every request that AFD receives and help you analyze and monitor access patterns, and debug issues.
Activity logs provide visibility into the operations done on Azure resources.
Health Probe logs provides the logs for every failed probe to your origin.
Web Application Firewall (WAF) logs provide detailed information of requests that gets logged through either detection or prevention mode of an Azure Front Door endpoint. A custom domain that gets configured with WAF can also be viewed through these logs.

Data streams

edit

This integration collects two types of data streams:

access log
waf logs

Requirements

edit

Credentials

edit

eventhub : string Is the fully managed, real-time data ingestion service.

consumer_group : string The publish/subscribe mechanism of Event Hubs is enabled through consumer groups. A consumer group is a view (state, position, or offset) of an entire event hub. Consumer groups enable multiple consuming applications to each have a separate view of the event stream, and to read the stream independently at their own pace and with their own offsets. Default value: $Default

connection_string : string The connection string required to communicate with Event Hubs, steps here https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-get-connection-string.

A Blob Storage account is required in order to store/retrieve/update the offset or state of the eventhub messages. This means that after stopping the filebeat azure module it can start back up at the spot that it stopped processing messages.

storage_account : string The name of the storage account the state/offsets will be stored and updated.

storage_account_key : string The storage account key, this key will be used to authorize access to data in your storage account.

resource_manager_endpoint : string Optional, by default we are using the azure public environment, to override, users can provide a specific resource manager endpoint in order to use a different azure environment. Ex: https://management.chinacloudapi.cn/ for azure ChinaCloud https://management.microsoftazure.de/ for azure GermanCloud https://management.azure.com/ for azure PublicCloud https://management.usgovcloudapi.net/ for azure USGovernmentCloud Users can also use this in case of a Hybrid Cloud model, where one may define their own endpoints.

Acceess Logs

edit

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
azure.frontdoor.access.backend_hostname	The host name in the request from client. If you enable custom domains and have wildcard domain (*.contoso.com), hostname is a.contoso.com. if you use Azure Front Door domain (contoso.azurefd.net), hostname is contoso.azurefd.net.	keyword
azure.frontdoor.access.cache_status	Provides the status code of how the request gets handled by the CDN service when it comes to caching.	keyword
azure.frontdoor.access.error_info	This field provides detailed info of the error token for each response.	keyword
azure.frontdoor.access.identity.authorization.action	Action	keyword
azure.frontdoor.access.identity.authorization.evidence.principal_id	Principal ID	keyword
azure.frontdoor.access.identity.authorization.evidence.principal_type	Principal type	keyword
azure.frontdoor.access.identity.authorization.evidence.role	Role	keyword
azure.frontdoor.access.identity.authorization.evidence.role_assignment_id	Role assignment ID	keyword
azure.frontdoor.access.identity.authorization.evidence.role_assignment_scope	Role assignment scope	keyword
azure.frontdoor.access.identity.authorization.evidence.role_definition_id	Role definition ID	keyword
azure.frontdoor.access.identity.authorization.scope	Scope	keyword
azure.frontdoor.access.identity.claims.*	Claims	object
azure.frontdoor.access.identity.claims_initiated_by_user.fullname	Fullname	keyword
azure.frontdoor.access.identity.claims_initiated_by_user.givenname	Givenname	keyword
azure.frontdoor.access.identity.claims_initiated_by_user.name	Name	keyword
azure.frontdoor.access.identity.claims_initiated_by_user.schema	Schema	keyword
azure.frontdoor.access.identity.claims_initiated_by_user.surname	Surname	keyword
azure.frontdoor.access.identity_name	identity name	keyword
azure.frontdoor.access.is_received_from_client	Boolean value.	boolean
azure.frontdoor.access.pop	The edge pop, which responded to the user request.	keyword
azure.frontdoor.access.routing_rule_name	The name of the route that the request matched.	keyword
azure.frontdoor.access.rules_engine_match_names	The names of the rules that were processed.	keyword
azure.frontdoor.access.time_taken	The length of time from the time AFD edge server receives a client’s request to the time that AFD sends the last byte of response to client, in milliseconds. This field doesn’t take into account network latency and TCP buffering.	double
azure.frontdoor.access.time_to_first_byte	The length of time in milliseconds from AFD receives the request to the time the first byte gets sent to client, as measured on Azure Front Door. This property doesn’t measure the client data.	double
azure.frontdoor.category	Azure frontdoor category name.	keyword
azure.frontdoor.operation_name	Azure operation name.	keyword
azure.frontdoor.resource_id	Azure Resource ID.	keyword
azure.frontdoor.tracking_reference	The unique reference string that identifies a request served by AFD, also sent as X-Azure-Ref header to the client. Required for searching details in the access logs for a specific request.	keyword
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type.	keyword
log.offset	Log offset.	long

WAF Logs

edit

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
azure.frontdoor.category	Azure frontdoor category name.	keyword
azure.frontdoor.operation_name	Azure operation name.	keyword
azure.frontdoor.resource_id	Azure Resource ID.	keyword
azure.frontdoor.tracking_reference	The unique reference string that identifies a request served by AFD, also sent as X-Azure-Ref header to the client. Required for searching details in the access logs for a specific request.	keyword
azure.frontdoor.waf.details.data	Detail data.	keyword
azure.frontdoor.waf.details.msg	Detail msg.	keyword
azure.frontdoor.waf.identity.authorization.action	Action	keyword
azure.frontdoor.waf.identity.authorization.evidence.principal_id	Principal ID	keyword
azure.frontdoor.waf.identity.authorization.evidence.principal_type	Principal type	keyword
azure.frontdoor.waf.identity.authorization.evidence.role	Role	keyword
azure.frontdoor.waf.identity.authorization.evidence.role_assignment_id	Role assignment ID	keyword
azure.frontdoor.waf.identity.authorization.evidence.role_assignment_scope	Role assignment scope	keyword
azure.frontdoor.waf.identity.authorization.evidence.role_definition_id	Role definition ID	keyword
azure.frontdoor.waf.identity.authorization.scope	Scope	keyword
azure.frontdoor.waf.identity.claims.*	Claims	object
azure.frontdoor.waf.identity.claims_initiated_by_user.fullname	Fullname	keyword
azure.frontdoor.waf.identity.claims_initiated_by_user.givenname	Givenname	keyword
azure.frontdoor.waf.identity.claims_initiated_by_user.name	Name	keyword
azure.frontdoor.waf.identity.claims_initiated_by_user.schema	Schema	keyword
azure.frontdoor.waf.identity.claims_initiated_by_user.surname	Surname	keyword
azure.frontdoor.waf.identity_name	identity name	keyword
azure.frontdoor.waf.policy	WAF policy name.	keyword
azure.frontdoor.waf.policy_mode	WAF policy mode.	keyword
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Input type.	keyword
log.offset	Log offset.	long

Changelog

edit

Changelog

Version	Details	Kibana version(s)
2.2.0	Enhancement (View pull request) Update Kibana constraint to support 9.0.0.	8.13.0 or higher 9.0.0 or higher
2.1.3	Enhancement (View pull request) Add missing category.	8.13.0 or higher
2.1.2	Bug fix (View pull request) Add `storage_account_container` variables.	8.13.0 or higher
2.1.1	Bug fix (View pull request) Change connection_string to be a secret	8.13.0 or higher
2.1.0	Enhancement (View pull request) Add "preserve_original_event" tag to documents with `event.kind` set to "pipeline_error".	8.13.0 or higher
2.0.1	Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines.	8.13.0 or higher
2.0.0	Breaking change (View pull request) Changed keyword field type to double in time_to_first_byte, time_taken fields and to date in time fields	8.13.0 or higher
1.10.0	Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event.	8.13.0 or higher
1.9.0	Enhancement (View pull request) Add new field identity.	8.13.0 or higher
1.8.0	Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
1.7.0	Enhancement (View pull request) Set sensitive values as secret.	8.12.0 or higher
1.6.1	Enhancement (View pull request) Changed owners	8.6.0 or higher
1.6.0	Enhancement (View pull request) ECS version updated to 8.11.0.	8.6.0 or higher
1.5.1	Bug fix (View pull request) Fix Preserve Original Event for both Access and WAF data streams	8.6.0 or higher
1.5.0	Enhancement (View pull request) Set community owner type.	8.6.0 or higher
1.4.0	Enhancement (View pull request) Update the package format_version to 3.0.0.	8.6.0 or higher
1.3.2	Bug fix (View pull request) Removing unused ECS field declarations.	8.6.0 or higher
1.3.1	Bug fix (View pull request) Add null checks and ignore_missing checks to the rename processor	8.6.0 or higher
1.3.0	Enhancement (View pull request) ECS version updated to 8.10.0.	8.6.0 or higher
1.2.0	Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.6.0 or higher
1.1.0	Enhancement (View pull request) Update package to ECS 8.9.0.	8.6.0 or higher
1.0.0	Enhancement (View pull request) Release Azure Frontdoor as GA.	8.6.0 or higher
0.4.0	Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors.	—
0.3.0	Enhancement (View pull request) Update package to ECS 8.8.0.	—
0.2.0	Enhancement (View pull request) Update package to ECS 8.7.0.	—
0.1.0	Enhancement (View pull request) Update package to ECS 8.7.0.	—
0.0.2	Bug fix (View pull request) Modify default storage container name to avoid collisions	—
0.0.1	Enhancement (View pull request) Initial draft of the package	—

« Azure Firewall Logs Azure Functions »

On this page

Data streams
Requirements
Credentials
Acceess Logs
WAF Logs
Changelog

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Azure Frontdoor Logs Integration