Azure WAF Log Enablement And Extraction Guide

Enable Logging

1. Open the Azure Application Gateway or other Azure WAF resource that fronts the application.
2. Create or update a Diagnostic setting so firewall logs are published to a destination such as Log Analytics, Event Hub, or a Storage account.
3. Enable the firewall log category that corresponds to your deployment. Microsoft documents `ApplicationGatewayFirewallLog` / `AGWFirewallLogs` for Application Gateway WAF scenarios.

Extract or Export the Logs

4. If you send logs to a Storage account, export the resulting files directly into the aiFObserve workspace.
5. If you send logs to Log Analytics, query the relevant table and export the results to JSON or CSV before conversion.
6. If you send logs to Event Hub, land them in a downstream collector or storage target first, then copy the collected files into the workspace.

Important Fields to Preserve

• client IP
• request URI
• rule/message
• action
• timestamp
• host
• user agent
• resource identifiers