Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@Brunoga-MS
Brunoga-MS committed Dec 15, 2020
1 parent 38ccc07 commit 8fddbe6
Showing 1 changed file with 77 additions and 49 deletions.
126 changes: 77 additions & 49 deletions Azure Services/Azure Monitor/Workbooks/AzureApplicationGatewayInsights.workbook
View file
@@ -1,24 +1,12 @@
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "** Author **\r\n[Bruno Gabrielli](mailto:bruno.gabrielli@microsoft.com)\r\n\r\n** Version 1.0 **\r\n2020-10-22\r\n - Initial version. Inspired by https://github.com/iamrobdavies/MonitoringExamples/tree/master/ApplicationGateway/Dashboard and https://docs.microsoft.com/en-us/archive/blogs/robdavies/monitoring-application-gateway-with-azure-log-analytics"
},
"conditionalVisibility": {
"parameterName": "_",
"comparison": "isEqualTo",
"value": "_"
},
"name": "text - 20"
},
{
"type": 1,
"content": {
"json": "# Azure Application Gateway Insights#"
},
"name": "text - 0"
"name": "workbookTitle"
},
{
"type": 9,
Expand Down Expand Up @@ -68,7 +56,7 @@
"crossComponentResources": [
"{Subscriptions}"
],
"value": "/subscriptions/5733bcb3-7fde-4caf-8629-41dc15e3b352/resourceGroups/CH-OpsRG-Pri/providers/Microsoft.OperationalInsights/workspaces/CH-LA",
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
Expand Down Expand Up @@ -134,7 +122,7 @@
"allowCustom": true
},
"value": {
"durationMs": 172800000
"durationMs": 5184000000
}
},
{
Expand All @@ -148,7 +136,7 @@
"crossComponentResources": [
"{Workspaces}"
],
"value": "CH-APPFEAPPGATE-SEC",
"value": null,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
Expand Down Expand Up @@ -184,14 +172,59 @@
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
{
"id": "d4354e02-6b2e-41be-b23d-16d8e6292b67",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help",
"type": 10,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n { \"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"ChangeLog\", \"label\": \"Change Log\"}\r\n]\r\n",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange"
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.resourcegraph/resources"
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "Parameters"
},
{
"type": 1,
"content": {
"json": ">** Author **\r\n>[Bruno Gabrielli](mailto:bruno.gabrielli@microsoft.com)\r\n>\r\n>** Version 1.1 **\r\n>2020-12-01\r\n>* Added the Show Help parameter. YOu can select if you wish to see help for initial configuration >(Get Started part) or if you wich to see the this Change Log.\r\n>* Added GetStarted section with documentation to follow to enable Diagnostic Settings for log collection.\r\n>\r\n>** Version 1.0 **\r\n>2020-10-22\r\n>* Initial version. Inspired by https://github.com/iamrobdavies/MonitoringExamples/tree/master/ApplicationGateway/Dashboard and https://docs.microsoft.com/en-us/archive/blogs/robdavies/monitoring-application-gateway-with-azure-log-analytics"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "ChangeLog"
},
"customWidth": "50",
"name": "ChangeLog",
"styleSettings": {
"showBorder": true
}
},
{
"type": 1,
"content": {
"json": "# Get Started #\r\n\r\n-------------------------\r\n\r\nWelcome to the Azure Application Gateway Insights workbook. This workbook is designed to provide you with an understanding of:\r\n\r\n1. **Firewall Log Data** - You can use this log to view the requests that are logged through either detection or prevention mode of an application gateway that is configured with the web application firewall. Firewall logs are collected every 60 seconds.\r\n\r\n2. **Access Log Data** - You can use this log to view Application Gateway access patterns and analyze important information. This includes the caller's IP, requested URL, response latency, return code, and bytes in and out. An access log is collected every 60 seconds. This log contains one record per instance of Application Gateway. The Application Gateway instance is identified by the instanceId property.\r\n\r\n3. **Performance Log Data** - You can use this log to view how Application Gateway instances are performing. This log captures performance information for each instance, including total requests served, throughput in bytes, total requests served, failed request count, and healthy and unhealthy back-end instance count. A performance log is collected every 60 seconds. The Performance log is available only for the v1 SKU. For the v2 SKU, use Metrics for performance data.\r\n\r\nFor additional information about the Azure Application Gateway logging, see [Use Log Analytics to examine Application Gateway Web Application Firewall (WAF) Logs](https://docs.microsoft.com/en-us/azure/application-gateway/log-analytics)\r\n\r\n## Prerequistes ##\r\n\r\n* A [Log Analytics workspace.](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment?WT.mc_id=Portal-fx)\r\n\r\nIn order to work, the workbook needs the activation of ***Back-end health and diagnostic logs for Application Gateway***. If you are unfamiliar with how to enable diagnostics for your Azure Application Gateway instances, see [Back-end health and diagnostic logs for Application Gateway](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-diagnostics#diagnostic-logging).\r\n"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "getStarted"
},
{
"type": 1,
"content": {
Expand Down Expand Up @@ -274,7 +307,8 @@
},
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
},
{
"id": "09cd6f07-a37e-4cbe-b4bc-1318e393529e",
Expand All @@ -298,7 +332,8 @@
},
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
},
{
"id": "bf61516d-c629-4942-add5-75547b89b6cc",
Expand All @@ -322,7 +357,8 @@
},
"defaultValue": "value::1",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
}
],
"style": "pills",
Expand Down Expand Up @@ -428,7 +464,8 @@
"timeContextFromParameter": "TimeRange",
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
"resourceType": "microsoft.operationalinsights/workspaces",
"value": null
}
],
"style": "pills",
Expand All @@ -444,6 +481,9 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayFirewallLog\"\r\n| where Message in ({p_msg})\r\n| summarize count() by action_s",
"size": 1,
"title": "Count of requests by Action",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -465,6 +505,9 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayFirewallLog\"\r\n| where Message in ({p_msg})\r\n| where action_s == \"Blocked\"\r\n| summarize count() by ruleId_s",
"size": 1,
"title": "Count of blocked requests by rule Id",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -486,6 +529,9 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayFirewallLog\"\r\n| where Message in ({p_msg})\r\n| where action_s == \"Blocked\"\r\n| summarize count() by Message\r\n| top 50 by count_ desc",
"size": 0,
"title": "Count of blocked requests by rule name (Top 50 - Excluding \"Anomaly Score Exceeded\")",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand Down Expand Up @@ -517,6 +563,9 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayFirewallLog\"\r\n| where Message in ({p_msg})\r\n| where action_s == \"Blocked\"\r\n| extend patternMatch = replace(@\"Warning. Pattern match \",@\"\",details_message_s)\r\n| extend regExMatch = tostring(split(patternMatch,\" at \")[0])\r\n| extend requestType = tostring(split(split(patternMatch,\" at \")[1],\":\")[0])\r\n| extend object = tostring(split(split(patternMatch,\" at \")[1],\":\")[1])\r\n| summarize count() by requestType, object, details_file_s\r\n| sort by requestType asc, object asc",
"size": 0,
"title": "Blocked requests by request type and object",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"exportedParameters": [
{
Expand Down Expand Up @@ -593,6 +642,9 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayFirewallLog\"\r\n| where Message in ({p_msg})\r\n| where action_s == \"Blocked\"\r\n| extend patternMatch = replace(@\"Warning. Pattern match \",@\"\",details_message_s)\r\n| extend regExMatch = tostring(split(patternMatch,\" at \")[0])\r\n| extend requestType = tostring(split(split(patternMatch,\" at \")[1],\":\")[0])\r\n| extend object = tostring(split(split(patternMatch,\" at \")[1],\":\")[1])\r\n| extend matchedData = tostring(split(details_data_s,\":\")[3])\r\n| where requestType == (\"{p_requestType}\")\r\n| where object == (\"{p_object}\")\r\n| extend matchedData = iif(isempty(matchedData),\"This field was not populated.\",matchedData)\r\n| extend details_data_s = iif(isempty(details_data_s),\"This field was not populated.\",details_data_s)\r\n| project TimeGenerated, regExMatch, requestType, object, matchedData, details_data_s, ruleId_s, details_file_s, clientIp_s, requestUri_s",
"size": 0,
"title": "Details for requests with Request Type == '{p_requestType}' and Request Object == '{p_object}'. Click on the 'Request Object' column for more details.",
"timeContext": {
"durationMs": 5184000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand Down Expand Up @@ -749,9 +801,6 @@
"size": 0,
"aggregation": 5,
"title": "Requests/min by URI",
"timeContext": {
"durationMs": 172800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "requestURI_s",
"exportParameterName": "p_requestURI_s",
Expand All @@ -772,9 +821,6 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayAccessLog\"\r\n| where requestUri_s in ({p_api})\r\n| where httpStatus_d >= 400\r\n| summarize count() by httpStatus_d, requestUri_s\r\n| project httpStatus_d, requestUri_s, count_",
"size": 0,
"title": "Failed Requests by URI",
"timeContext": {
"durationMs": 172800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -794,10 +840,7 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayAccessLog\"\r\n| where requestUri_s in ({p_api})\r\n| where httpStatus_d >= 400\r\n| summarize count() by serverRouted_s, bin(TimeGenerated, 5m)",
"size": 0,
"aggregation": 5,
"title": "Failed requests by back-end pools.",
"timeContext": {
"durationMs": 0
},
"title": "Failed requests by protected application(s).",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -806,7 +849,7 @@
],
"visualization": "timechart"
},
"name": "FailedRequestsByBackEndPools"
"name": "FailedRequestsByProtectedApps"
},
{
"type": 1,
Expand All @@ -822,10 +865,7 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayAccessLog\"\r\n| where httpStatus_d == 502\r\n| summarize count() by serverRouted_s, bin(TimeGenerated, 5m)",
"size": 0,
"aggregation": 5,
"title": "HTTP 502 errors by back-end pools (every 5 mins).",
"timeContext": {
"durationMs": 0
},
"title": "HTTP 502 errors by protected Application(s) (every 5 mins).",
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -834,7 +874,7 @@
],
"visualization": "timechart"
},
"name": "Http502ByBackEndPools"
"name": "Http502ByProtectedApps"
}
]
},
Expand Down Expand Up @@ -865,9 +905,6 @@
"query": "let unHealthyHostCount = AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize max(unHealthyHostCount_d) by Resource, bin(TimeGenerated, 1m);\r\nlet HealthyHostCount = AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize max(healthyHostCount_d) by Resource, bin(TimeGenerated, 1m);\r\nunHealthyHostCount\r\n| union HealthyHostCount\r\n",
"size": 0,
"title": "Count of backend Virtual Machines by status.",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -885,9 +922,6 @@
"query": "let allReqs = AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize avg(requestCount_d) by bin(TimeGenerated, 1m);\r\nlet failedReqs = AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize avg(failedRequestCount_d) by bin(TimeGenerated, 1m);\r\nallReqs\r\n| union failedReqs\r\n",
"size": 0,
"title": "Avg Requests per min",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -905,9 +939,6 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize avg(throughput_d) by Resource, bin(TimeGenerated, 1m)\r\n| extend ThroughputMb = (avg_throughput_d/1000)/1000\r\n| project Resource, TimeGenerated, ThroughputMb",
"size": 0,
"title": "Avg throughput per second (Mb)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand All @@ -925,9 +956,6 @@
"query": "AzureDiagnostics\r\n| where ResourceProvider == \"MICROSOFT.NETWORK\"\r\n| where Resource == ('{p_waf}')\r\n| where Category == \"ApplicationGatewayPerformanceLog\"\r\n| summarize avg(latency_d) by bin(TimeGenerated, 1m)",
"size": 0,
"title": "Avg Latency (ms)",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
Expand Down

0 comments on commit 8fddbe6

Please sign in to comment.