Microsoft.Web/sites — Azure resource type

Diagnostic categories

Ingestion-time transform

Routes to: AppServiceAntivirusScanAuditLogs

KQL starter

// Starter query for category AppServiceAntivirusScanAuditLogs
AppServiceAntivirusScanAuditLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, _ResourceId, Category
| take 100

Ingestion-time transform

Routes to: AppServiceAppLogs

KQL starter

// Starter query for category AppServiceAppLogs
AppServiceAppLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, ResultDescription, _ResourceId, Category
| take 100

Ingestion-time transform

Routes to: AppServiceAuditLogs

KQL starter

// Starter query for category AppServiceAuditLogs
AppServiceAuditLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, _ResourceId, Category
| take 100

Ingestion-time transform Cost to export

Routes to: AppServiceAuthenticationLogs

KQL starter

// Starter query for category AppServiceAuthenticationLogs
AppServiceAuthenticationLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, _ResourceId, Level, StatusCode
| take 100

Ingestion-time transform

Routes to: AppServiceConsoleLogs

KQL starter

// Starter query for category AppServiceConsoleLogs
AppServiceConsoleLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, ResultDescription, _ResourceId, Category
| take 100

Ingestion-time transform

Routes to: AppServiceFileAuditLogs

KQL starter

// Starter query for category AppServiceFileAuditLogs
AppServiceFileAuditLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, _ResourceId, Category
| take 100

Ingestion-time transform PII

Routes to: AppServiceHTTPLogs

KQL starter

// Starter query for category AppServiceHTTPLogs
AppServiceHTTPLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, _ResourceId, _BilledSize, CIp, ComputerName
| take 100

Ingestion-time transform

Routes to: AppServiceIPSecAuditLogs

KQL starter

// Starter query for category AppServiceIPSecAuditLogs
AppServiceIPSecAuditLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, _ResourceId, _BilledSize, CIp, CsHost
| take 100

Ingestion-time transform

Routes to: AppServicePlatformLogs

KQL starter

// Starter query for category AppServicePlatformLogs
AppServicePlatformLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, _ResourceId, Level, Message
| take 100

Ingestion-time transform

Routes to: FunctionAppLogs

KQL starter

// Starter query for category FunctionAppLogs
FunctionAppLogs
| where TimeGenerated > ago(1h)
| project TimeGenerated, _ResourceId, Category, Level, Message
| take 100

Ingestion-time transform Cost to export

Routes to: LogicAppWorkflowRuntime

KQL starter

// Starter query for category WorkflowRuntime
LogicAppWorkflowRuntime
| where TimeGenerated > ago(1h)
| project TimeGenerated, OperationName, _ResourceId
| take 100

Destination tables

Report on any discovered virus or infected files that have been uploaded to their site.

15 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
Category	string	Log category name
ErrorMessage	string	Error Message
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
ListOfInfectedFiles	string	List of each virus file path
NumberOfInfectedFiles	int	Total number of files infected with virus
_ResourceId	string	A unique identifier for the resource that the record is associated with
ScanStatus	string	Status of the scan
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
TimeStamp	datetime	Time when event is generated
TotalFilesScanned	int	Total number of scanned files
Type	string	The name of the table

Logs generated through your application.

23 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
Category	string	Log category name
ContainerId	string	Application container id
CustomLevel	string	Verbosity level of log
ExceptionClass	string	Application class from where log message is emitted
Host	string	Host where the application is running
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	Verbosity level of log mapped to standard levels (Informational, Warning, Error, or Critical)
Logger	string	Application logger used to emit log message
Message	string	Log message
Method	string	Application Method from where log message is emitted
OperationName	string	The name of the operation represented by this event.
_ResourceId	string	A unique identifier for the resource that the record is associated with
ResultDescription	string	Log message description
Source	string	Application source from where log message is emitted
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
Stacktrace	string	Complete stack trace of the log message in case of exception
StackTrace	string	Complete stack trace of the log message in case of exception
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
Type	string	The name of the table
WebSiteInstanceId	string	Instance Id the application running

Logs generated when publishing users successfully log on via one of the App Service publishing protocols.

14 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
Category	string	Log category name
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
OperationName	string	Name of the operation
Protocol	string	Authentication protocol
_ResourceId	string	A unique identifier for the resource that the record is associated with
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
Type	string	The name of the table
User	string	Username used for publishing access
UserAddress	string	Client IP addres of the publishing user
UserDisplayName PII	string	Email address of a user in case publishing was authorized via AAD authentication

Logs generated through App Service Authentication for your application.

19 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
CorrelationId	string	The ID for correlated events.
Details	string	The event details.
HostName	string	The host name of the application.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	The level of log verbosity.
Message	string	The log message.
ModuleRuntimeVersion	string	The version of App Service Authentication running.
OperationName	string	The name of the operation represented by this event.
_ResourceId	string	A unique identifier for the resource that the record is associated with
SiteName	string	The runtime name of the application.
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StatusCode	int	The HTTP status code of the operation.
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
SubStatusCode	int	The HTTP sub-status code of the request.
TaskName	string	The name of the task being performed.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The timestamp (UTC) of when this event was generated.
Type	string	The name of the table

Console logs generated from application or container.

14 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
Category	string	Log category name
ContainerId	string	Application container id
Host	string	Host where the application is running
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	Verbosity level of log
OperationName	string	The name of the operation represented by this event.
_ResourceId	string	A unique identifier for the resource that the record is associated with
ResultDescription	string	Log message description
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
Type	string	The name of the table

Logs generated when app service content is modified.

12 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
Category	string	Log category name
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
OperationName	string	Operation performed on a file
Path	string	Path to the file that was changed
Process	string	Type of the process that change the file
_ResourceId	string	A unique identifier for the resource that the record is associated with
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
Type	string	The name of the table

Incoming HTTP requests on App Service. Use these logs to monitor application health, performance and usage patterns.

26 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
CIp PII	string	IP address of the client
ComputerName	string	The name of the server on which the log file entry was generated.
Cookie	string	Cookie on HTTP request
CsBytes	int	Number of bytes received by server
CsHost	string	Host name header on HTTP request
CsMethod	string	The request HTTP verb
CsUriQuery	string	URI query on HTTP request
CsUriStem	string	The target of the request
CsUsername	string	The name of the authenticated user on HTTP request
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Referer	string	The site that the user last visited. This site provided a link to the current site
_ResourceId	string	A unique identifier for the resource that the record is associated with
Result	string	Success / Failure of HTTP request
ScBytes	int	Number of bytes sent by server
ScStatus	int	HTTP status code
ScSubStatus	string	Substatus error code on HTTP request
ScWin32Status	string	Windows status code on HTTP request
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
SPort	string	Server port number
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
TimeTaken	int	Time taken by HTTP request in milliseconds
Type	string	The name of the table
UserAgent PII	string	User agent on HTTP request

Logs generated through your application and pushed to Azure Monitoring.

17 columns

Column	Type	Description
_BilledSize	real	The record size in bytes
CIp PII	string	IP address of the client
CsHost	string	Host header of the HTTP request
Details	string	Additional information
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
_ResourceId	string	A unique identifier for the resource that the record is associated with
Result	string	The result whether the access is Allowed or Denied
ServiceEndpoint	string	This indicates whether the access is via Virtual Network Service Endpoint communication
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time of the Http Request
Type	string	The name of the table
XAzureFDID	string	X-Azure-FDID header (Azure Frontdoor Id) of the HTTP request
XFDHealthProbe	string	X-FD-HealthProbe (Azure Frontdoor Health Probe) of the HTTP request
XForwardedFor	string	X-Forwarded-For header of the HTTP request
XForwardedHost	string	X-Forwarded-Host header of the HTTP request

Logs generated through AppService platform for your application.

17 columns

Column	Type	Description
ActivityId	string	Activity Id to correlate events
_BilledSize	real	The record size in bytes
ContainerId	string	Application container id
DeploymentId	string	Deployment ID of the application deployment
Exception	string	Details of the exception
Host	string	Host where the application is running
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	Level of log verbosity
Message	string	Log message
OperationName	string	The name of the operation represented by this event.
_ResourceId	string	A unique identifier for the resource that the record is associated with
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StackTrace	string	Stack trace for the exception
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	Time when event is generated
Type	string	The name of the table

Log generated by Function Apps. It includes logs emitted by the Functions host and logs emitted by customer code. Use these logs to monitor application health, performance, and behavior.

26 columns

Column	Type	Description
ActivityId	string	The activity ID that logged the message.
AppName	string	The Function application name.
_BilledSize	real	The record size in bytes
Category	string	The log category name.
EventId	int	The event ID.
EventName	string	The event name.
ExceptionDetails	string	The exception details. This includes the exception type, message, and stack trace.
ExceptionMessage	string	The exception message.
ExceptionType	string	The exception type (e.g., System.InvalidOperationException).
FunctionInvocationId	string	The invocation ID that logged the message.
FunctionName	string	The name of the function that logged the message.
HostInstanceId	string	The host instance ID.
HostVersion	string	The Functions host version.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Level	string	The log level. Valid values are Trace, Debug, Information, Warning, Error, or Critical.
LevelId	int	The integer value of the log level. Valid values are 0 (Trace), 1 (Debug), 2 (Information), 3 (Warning), 4 (Error), or 5 (Critical).
Location	string	The location of the server that processed the request (e.g., South Central US).
Message	string	The log message.
ProcessId	int	The process ID.
_ResourceId	string	A unique identifier for the resource that the record is associated with
RoleInstance	string	The role instance ID.
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The timestamp (UTC) of the log.
Type	string	The name of the table

Logs generated during Logic Apps workflow runtime.

27 columns

Column	Type	Description
ActionName	string	The name of the workflow action.
ActionTrackingId	string	The unique ID of the workflow action.
_BilledSize	real	The record size in bytes
ClientKeywords	string	The client keywords sent through the header.
ClientTrackingId	string	The unique ID of the client.
Code	string	The HTTP status code of the request.
EndTime	datetime	The end time (UTC) of the operation.
Error	string	The error message of this operation.
_IsBillable	string	Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
Location	string	The geographical run location of the workflow.
OperationName	string	The name of this operation.
OriginRunId	string	The unique ID of the original workflow run, only relevant for resubmission scenarios.
_ResourceId	string	A unique identifier for the resource that the record is associated with
RetryHistory	string	The retry history of the workflow action.
RunId	string	The unique ID of the workflow run.
SourceSystem	string	The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
StartTime	datetime	The start time (UTC) of the operation.
Status	string	The status of the operation, e.g. Succeeded, Failed, Skipped, Ignored.
_SubscriptionId	string	A unique identifier for the subscription that the record is associated with
Tags	string	The custom tags associated with the workflow.
TenantId	string	The Log Analytics workspace ID
TimeGenerated	datetime	The timestamp (UTC) of when the log was generated.
TrackedProperties	string	The custom tracked properties.
TriggerName	string	The name of the workflow trigger.
Type	string	The name of the table
WorkflowId	string	The unique ID of the workflow.
WorkflowName	string	The name of the workflow.