How to monitor Azure App Service content changes and publishing activity

There are various ways to deploy an Azure App Service content: FTP, GitHub actions, deploy from Zip and many others. With Azure Role-Based Access Control it is possible to have many different users with contributor access who can deploy new content or modify existing files. In those situations it may be important to track who made the content changes and when. Some companies or businesses may need this capability for various compliance requirements. This blog post explains how to enable the monitoring of app service content publishing activity and content file changes.

Azure App Service is integrated with Azure Monitor which makes many app service logs available in Azure Monitor and Azure Log Analytics. The publishing activity and file change logs are also pushed to Azure Monitor and can be exported to third party services or can be used to create rule-based alerts.

Here are the configuration steps necessary to enable publishing activity and file change logging.

Create a new Log Analytics workspace

Note that this step can be omitted if you do not plan to use Log Analytics to query the logs and instead just want to make the logs available to third party log processing services.

Make sure that the workspace is created in the same region where you app service is located.

Create new Log Analytics workspace

Configure Azure Monitor diagnostic settings

In the Azure Portal select the App Service and then select the diagnostic settings:

App Service diagnostic settings

Select +Add diagnostic setting:

Add diagnostic setting

On next page you can specify what logs you need and where you need those logs to be sent to. Select the following logs:

  • AppServiceFileAuditLogs – this will generate logs for app service content files changes;
  • AppServiceAuditLogs – this will generate logs for publishing access, for example when somebody logs on via FTP.

Then select where you need those logs to be sent to. For example you can send them to a storage account of your choice and to a Log Analytics workspace that you created in a previous step. Note that the storage account has to be in the same region as the app service.

Configure logs for Azure Monitor

Scale the App Service Plan to PremiumV2 or Premium

The file change audit logs (AppServiceFileAuditLogs) are only available for app services in Premium, PremiumV2 and Isolated App Service Plans. You will need to scale up the app service plan in order to get those logs.

The publishing audit logs (AppServiceAuditLogs) are available for all App Service Plan pricing tiers.

Enable File Change Audit for the App Service

The last step is to switch on the File Change Audit configuration setting for the web app. At the time of writing this article there is no Portal support or client libraries for this setting yet so the easiest way to do this is via Azure Resource Explorer:

Enable file change audit in Azure Resource Explorer

How to access the logs

If you enabled sending of the logs to a storage account then you should see the insights-logs-appserviceauditlogs and insights-logs-appservicefileauditlogs containers in that storage account:

Log containers in the storage account

If you enabled sending of the logs to the Log Analytics workspace then open that workspace and go to the Logs page. That will open the query window where you can write the queries against the AppServiceFileChangeAuditLogs:

Querying file changes in the past 7 days

and AppServiceAuditLogs:

Querying the publishing access in the past 7 days

The log analytics allows you to create complex queries against these logs and also use those queries to create rule-based alerts. For example you can create an alert that will send you an email whenever a files with extension .config and *.dll are modified.

How to exclude specific files or directories from audit

If an application generates many temporary files or if it constantly writes something to a log file then this may result in very noisy audit log. To prevent this from happening you can exclude certain directories from auditing by using the audit log filter file.

Create a file named _auditLog.filter at the root directory of your site content (D:\Home) and add the directory and file paths to be excluded there:

# this is an example of an audit filter file
# it can contain file and directory paths
# it can have comments
# it can have up to 50 exclude paths
# each path can be up to 256 chars long

Known issues

  • The file change audit and publishing access audit are currently in a public preview. The functionality may have some bugs and the logs schema may change
  • The file change audit is only available for app services that run on Windows App Service plans. The Linux App Service Plans are not supported at the time of writing this article.

Leave a Reply

Your email address will not be published. Required fields are marked *