Monitor Azure AppService log stream from Terminal (using Docker)

Information for those who have trouble opening the Azure portal.

1. Enable log stream in Azure AppService

Immediately after creating the AppService, it was turned off, so enable it from the left menu → App Service log. Blobs may be fine, and I'm not sure what the "detailed error message" means.

image.png

2. Check the log stream

Select Log Stream from the left menu and check that the log can be displayed on the web screen. The following figure shows how the bot is deployed while waiting for a log.

image.png

3. Log in at Terminal

From now on, we'll work in the client's terminal (PowerShell). Maybe it's okay with the command prompt, and it's okay with macOS.

Since installing the Azure CLI is a hassle, use the provided Docker image. At the next command, launch the Azure CLI container and enter bash.

docker run -it mcr.microsoft.com/azure-cli

bash-5.0#

4. Log in to Azure and create what is called a "service principal"

You must log in to Azure from the CLI to access the AppService log stream. Create something called a "service principal" so that you can log in without any interaction with the user.

First, log in to Azure interactively.

bash-5.0# az login

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code GD3M62X89 to authenticate.

Is displayed, access the URL, enter the code, and log in with a browser.

After logging in, run the following command:

bash-5.0# az ad sp create-for-rbac --name <your-service-principal-name>

Give a name that is easy to manage, but honestly I'm not sure, so I'll leave it as my-first-principal.

When executed,

image.png

Since the result like

Make a note of.

5. Set the authority of the service principal

The service principal you created has the "Contributor" role, and you just want to see the log, but it's over-privileged and dangerous, so run the following command to change the role: ..

bash-5.0# az role assignment create --assignee <appId> --role "Website Contributor"
bash-5.0# az role assignment delete --assignee <appId> --role "Contributor"

is the one that was noted in the previous section.

The role Website Contributor just reads the AppService log. It seems that you can also create and manage websites, but I compromise because I couldn't find any other suitable built-in roles. Perhaps you can only allow more desired functionality in ways other than built-in roles.

6. Log in with the Azure CLI using appId, password, tenant

Log in "non-interactively" with the Azure CLI using the information you noted in step 4.

First, log out.

bash-5.0# az logout

Log in with appId, password, tenant.

bash-5.0# az login --service-principal --username <appId> --password "<password>" --tenant <tenant>

Since password contains symbols etc., it is safer to enclose it in "".

7. Monitor the AppService log stream from the Terminal

bash-5.0# az webapp log tail --name <AppService name>--resource-group <Resource Group name>

and can be found in the AppService overview of the Azure portal.

image.png

The following figure shows an AppService log stream being monitored in Windows Terminal. You can now see the console output of AppService as well as the web screen.

image.png

8. Make it possible to call monitoring in one shot

It is troublesome to docker run, az login, and az webapp log, so let's execute it with a single command. It's easier to use docker-compose.

Create an appropriate directory (here, the log directory), create log_tail.sh in it, and write the following contents.

log_tail.sh

#!/bin/bash

az login --service-principal \
         --username "c22b88da-35d7-4044-xxx-xxxxxxxx" \
         --password "xxxxxxxxxxxxxxxxxxxxx" \
         --tenant "da519484-d2e7-4d6b-xxxx-xxxxxxxx" \
         --output none

az webapp log tail \
         --name mybot001 \
         --resource-group my_bot_001_rc

Replace the parameter part with your own environment described above. We also added --output none to az login. I lost it because it was annoying that the login completion result was output.

Next, create docker-compose.yml in the same directory and write the following contents.

docker-compose.yml

version: '2'
services:
  log-tail:
    image: mcr.microsoft.com/azure-cli
    volumes:
      - .:/work
    working_dir: /work
    command: bash log_tail.sh

Define the container from the Azure CLI image and run log_tail.sh at startup.

Do this in Terminal.

#Go to the log directory and then run
cd log
docker-compose run --rm log-tail

#Run from outside the log directory
cd ..
docker-compose -f ./log/docker-compose.yml run --rm log-tail

Now you can monitor the AppService log in one shot. I'm doing bot development in node.js, so I registered in the scripts in package.json for:

{
    "name": "my-bot",
    "version": "1.0.0",
    "scripts": {
        "log-tail": "docker-compose -f ./scripts/log/docker-compose.yml run --rm log-tail",
<Omitted below>

It can be called with npm run log-tail or yarn log-tail. It has become very convenient.

** Note: ** I have written confidential information such as password directly in log_tail.sh, so I should go out to environment variables. .. ..

9. Delete the service principal

If you no longer use it or find it to be abused, remove the service principal and disable non-interactive login.

  1. First, perform the dialogue az login.
  2. Next, use az ad sp list --all to display the list of service principals (Customize output results (https://dev.classmethod.jp/articles/form-aws-cli). -output-by-jmespath /) It seems that you can adjust it to make it easier to see, but it was too difficult for me ..., --display-name my-first is easy to narrow down).
  3. Find the service principal you want and make a note of the appID.
  4. To change the password etc., execute az ad sp credential reset --name <appID>. A new password will be issued.
  5. To delete the principal, run az ad sp delete --id <appID>.

reference

-Enable diagnostic logging --Azure App Service | Microsoft Docs -[Using Azure Service Principals with Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?view= azure-cli-latest # create-a-service-principal) --Azure built-in roles --Azure RBAC | Microsoft Docs -[Sign in using Azure CLI | Microsoft Docs](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest#sign- in-with-credentials-on-the-command-line) -Streaming logs from Azure App Service | Microsoft Docs

Recommended Posts

Monitor Azure AppService log stream from Terminal (using Docker)
Using Docker from Java Gradle
Data processing using stream API from Java 8