Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Web Application Firewall's (WAF's) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive data. In order to work correctly, your content-type header and request body type must match. Once specified sensitive content is identified, the tool scrubs that information from your logs and replaces it with *******.
Note
The log scrubbing feature is only supported on Web Application Firewalls running the latest WAF engine. Select OWASP CRS 3.2 or Default Rule Set 2.1 as the managed rule set.
Note
When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.
The following table shows examples of log scrubbing rules that can be used to protect your sensitive data:
| Match Variable | Operator | Selector | What gets scrubbed | 
|---|---|---|---|
| Request Header Names | Equals | X-Forwarded-For | REQUEST_HEADERS:x-forwarded-for.","data":"******" | 
| Request Cookie Names | Equals | cookie1 | "Matched Data: ****** found within REQUEST_COOKIES:cookie1: ******" | 
| Request Arg Names | Equals | arg1 | "requestUri":"/?arg1=******" | 
| Request Post Arg Names | Equals | Post1 | "data":"Matched Data: ****** found within ARGS:post1: ******" | 
| Request JSON Arg Names | Equals | Jsonarg | "data":"Matched Data: ****** found within ARGS:jsonarg: ******" | 
| Request IP Address* | Equals Any | NULL | "clientIp":"******" | 
* Request IP Address rules only support the equals any operator and scrubs all instances of the requester's IP address that appears in the WAF logs.
For more information, see What is Azure Web Application Firewall Sensitive Data Protection?
Enable Sensitive Data Protection
Use the following information to enable and configure Sensitive Data Protection.
To enable Sensitive Data Protection:
- Open an existing Application Gateway WAF policy.
- Under Settings, select Sensitive data.
- On the Sensitive data page, select Enable log scrubbing.
To configure Log Scrubbing rules for Sensitive Data Protection:
- Under Log scrubbing rules, select a Match variable.
- Select an Operator (if applicable).
- Type a Selector (if applicable).
- Select Save.
Repeat to add more rules.
Verify Sensitive Data Protection
To verify your Sensitive Data Protection rules, open the Application Gateway firewall log and search for ****** in place of the sensitive fields.