Configure diagnostics settings for Azure API Management

This article describes how to configure diagnostic settings for Azure API Management. Diagnostic settings allow you to send platform metrics and logs to different destinations for analysis, archiving, and troubleshooting.

Azure API Management generates diagnostic logs that provide insights into the operations and performance of your API Management instance. You can configure diagnostic settings to send these logs to:

  • Azure Log Analytics workspace
  • Azure Storage account
  • Azure Event Hubs
  • A third-party SIEM system (via Event Hubs)

Types of Diagnostic Logs

API Management generates the following types of diagnostic logs:

  • ApplicationGatewayAccessLog: Information about requests processed by the API Management gateway.
  • GatewayDiagnosticLog: Detailed gateway logs, including request and response headers, body, and policy execution details.
  • TraceLog: Logs from the request tracing feature, showing the execution of policies.
  • AuditLog: Logs of administrative actions performed on the API Management instance.
  • OperationalLogs: Logs related to the operational status of the API Management service.
  • AllMetrics: All metrics emitted by the API Management service.

Steps to Configure Diagnostics Settings

Using the Azure Portal

  1. Navigate to your API Management instance in the Azure portal.
  2. In the left-hand menu, under Monitoring, select Diagnostic settings.
  3. Click + Add diagnostic setting.
  4. Provide a name for the diagnostic setting (e.g., `APIM-Diagnostics`).
  5. Under Logs, select the categories of logs you want to collect. Common choices include GatewayDiagnosticLog, ApplicationGatewayAccessLog, and AuditLog.
  6. Under Metrics, select AllMetrics if you want to send metrics to your chosen destination.
  7. Under Destination details, choose one or more destinations:
    • Send to Log Analytics workspace: Select an existing workspace or create a new one.
    • Archive to a storage account: Select an existing storage account or create a new one.
    • Stream to an event hub: Select or create an Event Hub namespace and Event Hub.
  8. Click Save.

Note: Log Analytics is the recommended destination for comprehensive log analysis and querying using Kusto Query Language (KQL).

Using Azure CLI

You can use the Azure CLI to configure diagnostic settings programmatically. First, you need to obtain the resource ID of your API Management service and the resource ID of your target Log Analytics workspace (or storage account/event hub).

Example using Azure CLI to send logs and metrics to Log Analytics:


# Replace with your actual resource IDs and names
APIM_RESOURCE_ID="/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.ApiManagement/service/YOUR_APIM_NAME"
LOG_ANALYTICS_WORKSPACE_ID="/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_LOG_ANALYTICS_RG/providers/Microsoft.OperationalInsights/workspaces/YOUR_LOG_ANALYTICS_WORKSPACE_NAME"
DIAGNOSTIC_SETTING_NAME="APIM-CLI-Diagnostics"

az monitor diagnostic-settings create \
    --name $DIAGNOSTIC_SETTING_NAME \
    --resource $APIM_RESOURCE_ID \
    --workspace $LOG_ANALYTICS_WORKSPACE_ID \
    --logs 'category=GatewayDiagnosticLog' 'category=ApplicationGatewayAccessLog' 'category=AuditLog' \
    --metrics 'category=AllMetrics'

Using Azure PowerShell

Similarly, you can use Azure PowerShell:


# Replace with your actual resource IDs and names
$apimResourceId = "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_RESOURCE_GROUP/providers/Microsoft.ApiManagement/service/YOUR_APIM_NAME"
$logAnalyticsWorkspaceResourceId = "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/YOUR_LOG_ANALYTICS_RG/providers/Microsoft.OperationalInsights/workspaces/YOUR_LOG_ANALYTICS_WORKSPACE_NAME"
$diagnosticSettingName = "APIM-PS-Diagnostics"

# Define the log and metric categories
$logSettings = @(
    @{
        category = "GatewayDiagnosticLog"
        enabled = $true
    },
    @{
        category = "ApplicationGatewayAccessLog"
        enabled = $true
    },
    @{
        category = "AuditLog"
        enabled = $true
    }
)

$metricSettings = @(
    @{
        category = "AllMetrics"
        enabled = $true
    }
)

# Create the diagnostic setting
New-AzDiagnosticSetting -Name $diagnosticSettingName `
    -ResourceId $apimResourceId `
    -WorkspaceResourceId $logAnalyticsWorkspaceResourceId `
    -Log $logSettings `
    -Metric $metricSettings

Querying Logs in Log Analytics

Once logs are sent to Log Analytics, you can use Kusto Query Language (KQL) to analyze them. For example, to view gateway logs:


AzureDiagnostics
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where Category == "GatewayDiagnosticLog"
| project TimeGenerated, OperationName, DurationMs, CallerIpAddress, Url, ResponseCode
| order by TimeGenerated desc

Related Topics