Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable HTTP Logs

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To collect detailed information on HTTP requests, ensure that HTTP logs are enabled and included in the Diagnostic Logs for your Azure App Service web applications. App Service HTTP logs are detailed records of all incoming HTTP requests to your web application, including data such as IP addresses, request paths, and response status codes.

Security

By default, HTTP logging is disabled for Azure App Service web applications. Without HTTP logs, visibility into application traffic is significantly limited, reducing your organization's ability to detect potential attacks, unauthorized requests, or other malicious activity. Enabling HTTP logging improves monitoring of application health, supports the diagnosis of performance bottlenecks, and aids in troubleshooting by capturing essential request-response details. Once collected, HTTP logs should be forwarded to a storage account and a Log Analytics Workspace, or an equivalent third-party solution. Log files should remain in readily accessible storage for at least one year, after which they should be transitioned to low-cost cold storage for long-term retention to support security and compliance audits.

Audit

To determine if HTTP logging is enabled for your Azure App Service web applications, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and App Service for Value, then choose Apply to list the App Service web applications available in the selected subscription.

05 Click on the name (link) of the web application that you want to examine.

06 In the resource navigation panel, under Monitoring, select Diagnostic settings.

07 On the Diagnostic settings page, check for any diagnostic settings created for your web applications. If there are no diagnostic settings available, the Diagnostic Logs monitoring feature is not enabled for the selected App Service web application. If one or more diagnostic settings were created for your resource, choose the diagnostic setting that you want to examine, and select Edit setting. Check the Categories list under Logs to determine the logging configuration available for your web application. If the HTTP logs category is not selected, HTTP logs are not enabled for the selected diagnostic setting. Repeat this step for each diagnostic setting created for the selected Azure resource. If none of the diagnostic settings are configured with HTTP logs, HTTP logging is not enabled for the selected Azure App Service web application.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run webapp list command (Windows/macOS/Linux) with custom output filters to list the ID of each App Service web application available in the selected Azure subscription: 

az webapp list
	--query '[*].id'

05 The command output should return the requested web application IDs: 

[
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app",
	"/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-project-web-app"
]

06 Run monitor diagnostic-settings list command (Windows/macOS/Linux) with the ID of the App Service web application that you want to examine as the identifier parameter and custom output filters to describe the name of each diagnostics setting configured for the selected web application: 

az monitor diagnostic-settings list
	--resource "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--query '[].name'

07 The command output should return the requested diagnostics setting identifiers (names). If the command output returns an empty array, i.e. [], there are no diagnostic settings configured for the selected App Service web application, therefore, the Audit process ends here: 

[
	"cc-ecommerce-app-diagnostic-logs",
	"cc-webapp-console-diagnostic-logs"
]

08 Run monitor diagnostic-settings show command (Windows/macOS/Linux) with the name of the diagnostic setting that you want to examine as the identifier parameter, to describe the log categories supported by Azure App Service, configured for the selected diagnostic setting: 

az monitor diagnostic-settings show
	--name "cc-ecommerce-app-diagnostic-logs"
	--resource "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--query 'logs'

09 The command output should return the supported log categories and their status: 

[
	{
		"category": "AppServiceHTTPLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServiceAuditLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServiceConsoleLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServiceAppLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServiceIPSecAuditLogs",
		"enabled": true,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServicePlatformLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	},
	{
		"category": "AppServiceAuthenticationLogs",
		"enabled": false,
		"retentionPolicy": {
			"days": 0,
			"enabled": false
		}
	}
]

Check the "enabled" attribute value for the "AppServiceHTTPLogs" log category to determine the logging configuration for the selected diagnostic setting. If the "AppServiceHTTPLogs" log category is disabled (i.e., "enabled": false), HTTP logging is not enabled for the selected diagnostic setting.

10 Repeat steps no. 8 and 9 for each diagnostic setting created for the selected Azure resource. If none of the diagnostic settings are configured with the "AppServiceHTTPLogs" log category, HTTP logging is not enabled for the selected Azure App Service web application.

Remediation / Resolution

To enable and configure HTTP logging for your Azure App Service web applications, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade available at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.

03 Choose the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 From the Type equals all filter box, select Type for Filter, Equals for Operator, and App Service for Value, then choose Apply to list the App Service web applications available in the selected subscription.

05 Click on the name (link) of the web application that you want to configure.

06 In the resource navigation panel, under Monitoring, select Diagnostic settings, and perform one of the following actions:

  1. To create a new diagnostic setting resource, choose Add diagnostic setting from the Diagnostic settings section. A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from an Azure resource, and one or more destinations that you would stream them to. On the Diagnostic setting setup page, perform the following actions:
    1. Provide a unique name for your new diagnostic setting in the Diagnostic setting name box.
    2. In the Logs section, select the HTTP logs setting checkbox to enable HTTP logging for the selected App Service web application. You can also select multiple log categories, depending on your monitoring requirements. Ensure that HTTP logs log category is included.
    3. (Optional) In the Metrics section, check the AllMetrics setting checkbox if you want to route the resource's platform metrics to the selected log destinations. By default, platform metrics are sent automatically to Azure Monitor Metrics without any additional configuration required.
    4. In the Destination details section, configure one or more log destinations based on your application requirements:
      1. Select Send to Log Analytics workspace and choose a workspace from the Log Analytics workspace dropdown list to send the diagnostic logs.
      2. Select Archive to a storage account and choose a storage account from the Storage account dropdown list to archive the collected logs for at least one year (recommended). The storage account needs to be in the same region as the resource being monitored if the resource is regional.
      3. Select Stream to an event hub to stream the collected logs to an Event Hub. Select the name, namespace, and policy of the event hub that you want to use.
      4. Select Send to partner solution to deliver the log files to a supported third-party system. For supported partner integrations, please refer to this page.
    5. Choose Save to apply the configuration changes.
  2. To update an existing diagnostic setting, choose Edit setting, and select the HTTP logs setting checkbox to enable HTTP logging for the selected App Service web application. In the Destination details section, ensure that one or more log destinations are selected. Choose Save to apply the configuration changes.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run monitor diagnostic-settings create command (Windows/macOS/Linux) to create a new diagnostic setting for the specified Azure App Service web application in order to enable the HTTP logging feature. As an example, the following command request creates a diagnostic setting named "cc-ecommerce-webapp-http-logs" for the App Service web application specified by --resource, that sends the supported logs and metrics to a Log Analytics workspace identified by the ID "abcd1234abcd1234abcd1234" and archive the files to an Azure Storage account identified by "abcd1234abcd1234abcd1234". Platform metrics are sent automatically to Azure Monitor Metrics by default and without any configuration. If you need to route the resource's platform metrics to the selected log destinations, include the --metrics parameter in the command request, as shown in the example below: 

az monitor diagnostic-settings create
	--name "cc-ecommerce-webapp-http-logs"
	--resource "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--workspace "abcd1234abcd1234abcd1234"
	--storage-account "1234abcd1234abcd1234"
	--logs '[
		{
			"category": "AppServiceHTTPLogs",
			"enabled": true,
			"retentionPolicy": {
			"days": 0,
			"enabled": false
			}
		}
	]'
	--metrics '[
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"enabled": false,
				"days": 0
			}
		}
	]'

05 The command output should return the configuration information available for the new diagnostic setting: 

{
	"id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.web/sites/cc-ecommerce-app/providers/microsoft.insights/diagnosticSettings/cc-ecommerce-webapp-http-logs",
	"logs": [
		{
			"category": "AppServiceHTTPLogs",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		}
	],
	"metrics": [
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": true
			},
			"timeGrain": "PT1M"
		}
	],
	"name": "cc-ecommerce-webapp-http-logs",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/1234abcd1234abcd1234",
	"type": "Microsoft.Insights/diagnosticSettings",
	"workspaceId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.OperationalInsights/workspaces/abcd1234abcd1234abcd1234"
}

06 Run monitor diagnostic-settings update command (Windows/macOS/Linux) to update an existing diagnostic setting for the specified Azure App Service web application in order to enable HTTP logging: 

az monitor diagnostic-settings update
	--name "cc-ecommerce-app-diagnostic-logs"
	--resource "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Web/sites/cc-ecommerce-app"
	--storage-account "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/1234abcd1234abcd1234"
	--logs '[
		{
			"category": "AppServiceHTTPLogs",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		}
	]'

07 The command output should return the configuration information available for the modified diagnostic setting: 

{
	"id": "/subscriptions/1234abcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.web/sites/cc-ecommerce-app/providers/microsoft.insights/diagnosticSettings/cc-ecommerce-app-diagnostic-logs",
	"logs": [
		{
			"category": "AppServiceHTTPLogs",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": false
			}
		}
	],
	"metrics": [
		{
			"category": "AllMetrics",
			"enabled": true,
			"retentionPolicy": {
				"days": 0,
				"enabled": true
			},
			"timeGrain": "PT1M"
		}
	],
	"name": "cc-ecommerce-app-diagnostic-logs",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"storageAccountId": "/subscriptions/abcdabcd-1234-abcd-1234-abcd1234abcd/resourceGroups/cloud-shell-storage-westeurope/providers/microsoft.Storage/storageAccounts/1234abcd1234abcd1234",
	"type": "Microsoft.Insights/diagnosticSettings"
}

References

Publication date Nov 25, 2025

Related AppService rules