Enable diagnostics logging for apps in Azure App Service

This video shows you how to enable diagnostics logging for apps.

The steps in the video are also described in the following sections.

Overview

Azure provides built-in diagnostics to assist with debugging an App Service app. In this article, you learn how to enable diagnostic logging and add instrumentation to your application, as well as how to access the information logged by Azure.

This article uses the Azure portal and Azure CLI to work with diagnostic logs. For information on working with diagnostic logs using Visual Studio, see Troubleshooting Azure in Visual Studio.

Note

In addition to the logging instructions in this article, there's new, integrated logging capability with Azure Monitoring. You'll find more on this capability in the Send logs to Azure Monitor section.

Type Platform Location Description
Application logging Windows, Linux App Service file system and/or Azure Storage blobs Logs messages generated by your application code. The messages can be generated by the web framework you choose, or from your application code directly using the standard logging pattern of your language. Each message is assigned one of the following categories: Critical, Error, Warning, Info, Debug, and Trace. You can select how verbose you want the logging to be by setting the severity level when you enable application logging.
Web server logging Windows App Service file system or Azure Storage blobs Raw HTTP request data in the W3C extended log file format. Each log message includes data such as the HTTP method, resource URI, client IP, client port, user agent, response code, and so on.
Detailed Error Messages Windows App Service file system Copies of the .htm error pages that would have been sent to the client browser. For security reasons, detailed error pages shouldn't be sent to clients in production, but App Service can save the error page each time an application error occurs that has HTTP code 400 or greater. The page may contain information that can help determine why the server returns the error code.
Failed request tracing Windows App Service file system Detailed tracing information on failed requests, including a trace of the IIS components used to process the request and the time taken in each component. It's useful if you want to improve site performance or isolate a specific HTTP error. One folder is generated for each failed request, which contains the XML log file, and the XSL stylesheet to view the log file with.
Deployment logging Windows, Linux App Service file system Logs for when you publish content to an app. Deployment logging happens automatically and there are no configurable settings for deployment logging. It helps you determine why a deployment failed. For example, if you use a custom deployment script, you might use deployment logging to determine why the script is failing.

When stored in the App Service file system, logs are subject to the available storage for your pricing tier (see App Service limits).

Note

App Service provides a dedicated, interactive diagnostics tool to help you troubleshoot your application. For more information, see Azure App Service diagnostics overview.

In addition, you can use other Azure services to improve the logging and monitoring capabilities of your app, such as Azure Monitor.

Enable application logging (Windows)

To enable application logging for Windows apps in the Azure portal, navigate to your app and select App Service logs.

Select On for either Application Logging (Filesystem) or Application Logging (Blob), or both.

The Filesystem option is for temporary debugging purposes, and turns itself off in 12 hours. The Blob option is for long-term logging, and needs a blob storage container to write logs to. The Blob option also includes additional information in the log messages, such as the ID of the origin VM instance of the log message (InstanceId), thread ID (Tid), and a more granular timestamp (EventTickCount).

Note

Currently only .NET application logs can be written to the blob storage. Java, PHP, Node.js, Python application logs can only be stored on the App Service file system (without code modifications to write logs to external storage).

Also, if you regenerate your storage account's access keys, you must reset the respective logging configuration to use the updated access keys. To do this:

  1. In the Configure tab, set the respective logging feature to Off. Save your setting.
  2. Enable logging to the storage account blob again. Save your setting.

Select the Level, or the level of details to log. The following table shows the log categories included in each level:

Level Included categories
Disabled None
Error Error, Critical
Warning Warning, Error, Critical
Information Info, Warning, Error, Critical
Verbose Trace, Debug, Info, Warning, Error, Critical (all categories)

When finished, select Save.

Note

If you write logs to blobs, the retention policy no longer applies if you delete the app but keep the logs in the blobs. For more information, see Costs that might accrue after resource deletion.

Enable application logging (Linux/Container)

To enable application logging for Linux apps or custom containers in the Azure portal, navigate to your app and select App Service logs.

In Application logging, select File System.

In Quota (MB), specify the disk quota for the application logs. In Retention Period (Days), set the number of days the logs should be retained.

When finished, select Save.

Enable web server logging

To enable web server logging for Windows apps in the Azure portal, navigate to your app and select App Service logs.

For Web server logging, select Storage to store logs on blob storage, or File System to store logs on the App Service file system.

In Retention Period (Days), set the number of days the logs should be retained.

Note

If you regenerate your storage account's access keys, you must reset the respective logging configuration to use the updated keys. To do this:

  1. In the Configure tab, set the respective logging feature to Off. Save your setting.
  2. Enable logging to the storage account blob again. Save your setting.

When finished, select Save.

Note

If you write logs to blobs, the retention policy no longer applies if you delete the app but keep the logs in the blobs. For more information, see Costs that might accrue after resource deletion.

Log detailed errors

To save the error page or failed request tracing for Windows apps in the Azure portal, navigate to your app and select App Service logs.

Under Detailed Error Logging or Failed Request Tracing, select On, then select Save.

Both types of logs are stored in the App Service file system. Up to 50 errors (files/folders) are retained. When the number of HTML files exceeds 50, the oldest error files are automatically deleted.

The Failed Request Tracing feature by default captures a log of requests that failed with HTTP status codes between 400 and 600. To specify custom rules, you can override the <traceFailedRequests> section in the web.config file.

Add log messages in code

In your application code, you use the usual logging facilities to send log messages to the application logs. For example:

Stream logs

Before you stream logs in real time, enable the log type that you want. Any information written to the console output or files ending in .txt, .log, or .htm that are stored in the /home/LogFiles directory (D:\home\LogFiles) is streamed by App Service.

Note

Some types of logging buffer write to the log file, which can result in out of order events in the stream. For example, an application log entry that occurs when a user visits a page may be displayed in the stream before the corresponding HTTP log entry for the page request.

In Azure portal

To stream logs in the Azure portal, navigate to your app and select Log stream.

In Cloud Shell

To stream logs live in Cloud Shell, use the following command:

Important

This command may not work with web apps hosted in a Linux app service plan.

az webapp log tail --name appname --resource-group myResourceGroup

To filter specific log types, such as HTTP, use the --Provider parameter. For example:

az webapp log tail --name appname --resource-group myResourceGroup --provider http

In local terminal

To stream logs in the local console, install Azure CLI and sign in to your account. Once signed in, followed the instructions for Cloud Shell

Access log files

If you configure the Azure Storage blobs option for a log type, you need a client tool that works with Azure Storage. For more information, see Azure Storage Client Tools.

For logs stored in the App Service file system, the easiest way is to download the ZIP file in the browser at:

  • Linux/custom containers: https://<app-name>.scm.azurewebsites.net/api/logs/docker/zip
  • Windows apps: https://<app-name>.scm.azurewebsites.net/api/dump

For Linux/custom containers, the ZIP file contains console output logs for both the docker host and the docker container. For a scaled-out app, the ZIP file contains one set of logs for each instance. In the App Service file system, these log files are the contents of the /home/LogFiles directory.

For Windows apps, the ZIP file contains the contents of the D:\Home\LogFiles directory in the App Service file system. It has the following structure:

Log type Directory Description
Application logs /LogFiles/Application/ Contains one or more text files. The format of the log messages depends on the logging provider you use.
Failed Request Traces /LogFiles/W3SVC#########/ Contains XML files, and an XSL file. You can view the formatted XML files in the browser.
Detailed Error Logs /LogFiles/DetailedErrors/ Contains HTM error files. You can view the HTM files in the browser.
Another way to view the failed request traces is to navigate to your app page in the portal. From the left menu, select Diagnose and solve problems, then search for Failed Request Tracing Logs, then click the icon to browse and view the trace you want.
Web Server Logs /LogFiles/http/RawLogs/ Contains text files formatted using the W3C extended log file format. This information can be read using a text editor or a utility like Log Parser.
App Service doesn't support the s-computername, s-ip, or cs-version fields.
Deployment logs /LogFiles/Git/ and /deployments/ Contain logs generated by the internal deployment processes, as well as logs for Git deployments.

Send logs to Azure Monitor

With the new Azure Monitor integration, you can create Diagnostic Settings to send logs to Storage Accounts, Event Hubs and Log Analytics.

Diagnostic Settings

Supported log types

The following table shows the supported log types and descriptions:

Log Name Log type Windows Windows Container Linux Linux Container Description
App Service Console Logs AppServiceConsoleLogs Java SE & Tomcat Yes Yes Yes Standard output and standard error 3
HTTP logs AppServiceHTTPLogs Yes Yes Yes Yes Web server logs
App Service Environment Platform Logs AppServiceEnvironmentPlatformLogs Yes N/A Yes Yes App Service Environment: scaling, configuration changes, and status logs
Access Audit Logs AppServiceAuditLogs Yes Yes Yes Yes Login activity via FTP and Kudu
Site Content Change Audit Logs AppServiceFileAuditLogs Yes Yes TBA TBA File changes made to the site content; only available for Premium tier and above
App Service Application Logs AppServiceAppLogs ASP.NET, .NET Core, & Tomcat 1 ASP.NET & Tomcat 1 .NET Core, Java, SE & Tomcat Blessed Images 2 Java SE & Tomcat Blessed Images 2 Application logs 3
IPSecurity Audit logs AppServiceIPSecAuditLogs Yes Yes Yes Yes Requests from IP Rules
App Service Platform logs AppServicePlatformLogs TBA Yes Yes Yes Container operation logs
Report Antivirus Audit Logs AppServiceAntivirusScanAuditLogs 3 Yes Yes Yes Yes Anti-virus scan logs using Microsoft Defender for Cloud; only available for Premium tier

1 For Tomcat apps, add TOMCAT_USE_STARTUP_BAT to the app settings and set it to false or 0. Need to be on the latest Tomcat version and use java.util.logging.

2 For Java SE apps, add WEBSITE_AZMON_PREVIEW_ENABLED to the app settings and set it to true or to 1.

3 Current logging limit is set to 100 logs per minute.

4 AppServiceAntivirusScanAuditLogs log type is still currently in Preview

Networking considerations

For Diagnostic Settings restrictions, refer to the official Diagnostic Settings documentation regarding destination limits.

Next steps