Share via

Why am I not seeing monitor logs from my vhub firewall

Leppert, R 0 Reputation points
2026-04-27T15:56:53.8166667+00:00

Why am I not seeing monitor logs from my vhub firewall

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 11,640 Reputation points Microsoft External Staff Moderator
    2026-05-08T16:09:01.6+00:00

    Hello Leppert, R

    It looks like you've set up a workspace and are running AZFWNetworkRule against your vHub firewall, but you're not seeing any log entries even though devices are communicating with the service. Here are some common reasons why logs may be missing and steps to address each:

     

    1. Diagnostic settings may not be configured correctly.
    • For Structured logs (used by the AZFWNetworkRule table), ensure you have a diagnostic setting that targets “Resource specific” in your Log Analytics workspace.
    • If using Legacy logs, check for a separate diagnostic setting for those, which appear in the AzureDiagnostics table.
    • After enabling Structured logs, allow up to 30 minutes for logs to appear.
    1. Confirm you are querying the correct table.
    • Structured network-rule logs are in AZFWNetworkRule, and application-rule logs are in AZFWApplicationRule.
    • Legacy logs are in AzureDiagnostics under the NetworkRuleLog category.

    Review your Kusto query, for example:    

    AZFWNetworkRule
| where TimeGenerated > ago(1h)
| where DestinationIp contains "10.x.x.10"
    1. Check if traffic is actually reaching the firewall.

    Make sure your User-Defined Routes (UDRs) send traffic to the firewall’s private IP, and the route table is linked to the correct subnets. If traffic bypasses the firewall, logs will not be generated.

    1. Review rule hit behavior.

    Azure Firewall applies a default deny policy—only flows matching an explicit Allow/Deny rule or the default deny will generate log entries. Check your rule priorities and definitions to ensure your traffic is matched.

    1. Consider retention and throttling limits. Log Analytics retains data for 30 days by default, and queries return up to 30,000 records unless adjusted or exported.

    To troubleshoot further:

    1.In the Azure portal, go to your Firewall → Diagnostic settings and confirm you have:

    • One setting for Structured logs → destination “Resource specific” → sending at least the NetworkRule log category to your workspace.
    • (If you still need legacy logging) a second setting for Azure Diagnostics → sending logs to the same or another workspace.
    1. After enabling the diagnostic logs wait ~30 min, then run:
    AZFWNetworkRule
| where TimeGenerated > ago(30m)
    1. Review your vHub’s effective routes to confirm traffic to 10.x.x.10 is directed to the firewall’s private IP.
    2. If no logs are found, try querying AzureDiagnostics for Category == "NetworkRuleLog" to check for legacy logs.

     

    Reference documentation: Enable diagnostic logging: https://learn.microsoft.com/azure/firewall/firewall-diagnostics#enable-diagnostic-logging-through-the-azure-portal

    Structured logs overview: https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall
    Troubleshooting missing logs: https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall#critical-checklist-for-common-issues

    Virtual hub effective routes: https://learn.microsoft.com/en-us/azure/virtual-wan/effective-routes-virtual-hub

    Was this answer helpful?

    0 comments
  2. Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator
    2026-04-27T17:15:10.5733333+00:00

    Hi @ Leppert, R

    Welcome to Microsoft Q&A Platform.

    If Routing Intent is not configured on the vWAN Hub, traffic flows through the hub without touching the firewall ,meaning no logs are generated regardless of your diagnostic settings.

    Verify Diagnostic Settings : Go to your firewall-->Monitoring → Diagnostic settings-->Ensure logs are:

    • Enabled
    • Sent to the correct Log Analytics workspace

    Note: Make sure to select the correct timeframe in Log section

    Screenshot shows Firewall diagnostic settings.

    After enabling the above configuration, please wait for approximately 30 minutes, then trigger the query again and check the results.

    If there are still no results, try running the query without specifying an IP address. First, verify whether you are receiving any logs related to Azure Firewall.

    Run Health Check Query First

    AZFWNetworkRule 
| where TimeGenerated > ago(24h) 
| summarize Count = count() by Resource 
| order by Count desc

    If this returns results -----Logging is working. Refine with your specific query.

    If this returns nothing----- Routing Intent or Diagnostic Settings issue.

    Once the health check confirms that logs are being generated, expand the logs and verify the Destination IP ,If the Destination IP does not match the expected value, it indicates that there is no traffic reaching that IP

    Ref: Monitor Azure Virtual WAN

    If the above steps did not help resolve your issue, please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.