I have an Azure "Firewall" resource, with (under "Rules (classic)") a Network rule collection to allow webhook calls only from specific IP addresses. This is how the rule is configured:
This rule is working well. However, I have to deal with a third party that seems to mess around with their source IP addresses at the moment, and they are slow to respond. Their dashboard merely says their system receives a 502 status code, nothing else.
So I turned on logging to an Analytics Workspace, hoping to be able to query the logs for failed access attempts, and find the IP address they're using that way. None of the 5 built-in queries (nor any AzureDiagnostics | where msg_s contains "..." query) returns me failed requests.
There's also an Application Gateway to direct all this traffic in play. It has diagnostics as well. I can use this query:
AzureDiagnostics
| where requestUri_s startswith "/webhook/MyRedactedPathHere"
| where TimeGenerated > ago(30d)
| order by TimeGenerated desc
Then I can see all the successful calls from the third party made in the past, but no responses with serverStatus_s set to 502.
I know there is special 502 docs for Application Gateway and I should further investigate... but I'd expect these calls to show up in the logs regardless?
How do I query these failed requests in either my Application Gateway or in my Firewall logs?
I can't recall where, but I found a few posts online hinting that the Resource Specific logs won't work unless it's specifically enabled for your subscription. I switched to the generic one, waited a while, and it started showing up. (After I also fixed a few unrelated errors.)