Web App Service diagnostics premium field-manual-complete

App Service logs

App Service logs are the built-in records that help you understand what an App Service app is doing and why it failed. They can include application messages, HTTP server logs, detailed errors, failed request traces, deployment logs, and live log stream output. Developers use them to debug code and startup problems. Operators use them to prove whether an incident came from the app, the platform, configuration, deployment, or a dependency. The trick is logging enough useful detail without leaking secrets or creating noisy storage costs.

Back to glossary browser Open Microsoft Learn source
Aliases
Azure App Service logs, app service logs
Difficulty
intermediate
CLI mappings
5
Last verified
2026-05-30

Microsoft Learn

Microsoft Learn explains App Service diagnostic logging as settings that collect application logs, web server logs, detailed errors, failed request traces, container logs, and platform resource logs for App Service apps. These logs can be streamed, stored temporarily, written to storage, or routed through Azure Monitor.

Microsoft Learn: Enable diagnostic logging for apps in Azure App Service2026-05-30

Technical context

Technically, App Service logs sit in the observability layer of the App Service platform. They complement Azure Monitor metrics, Application Insights telemetry, diagnostic settings, Activity Log, deployment history, Kudu diagnostics, and web server traces. Some logs are written to the App Service file system for temporary troubleshooting, while others can be sent to storage, Log Analytics, or live streams depending on app type and configuration. Logging behavior differs across Windows, Linux, containers, slots, and runtime stacks, so operators must verify actual destinations.

Why it matters

App Service logs matter because many web-app incidents are otherwise guesswork. A user sees a 500 error, a container restarts, a deployment fails, or authentication breaks, and the portal overview may still look healthy. Logs show startup messages, exception details, failed request patterns, deployment output, platform messages, and correlation clues. They also support audit and support cases when retained properly. Poor logging creates two bad outcomes: not enough evidence during an outage, or too much sensitive and expensive noise. Good teams decide log level, destination, retention, redaction, and query patterns before the first production incident. It also protects teams from repeating the same incident without evidence. The best teams decide the evidence plan before customers become the monitoring system.

Where you see it

Signals, screens, and Azure surfaces where this term usually becomes operational.

Signal 01

In the Azure portal App Service logs blade, operators enable application, web server, detailed error, failed request, and container logging options during incidents during triage.

Signal 02

In az webapp log commands, live tail, configuration, and download output show whether the app is producing usable operational evidence for support during live incidents.

Signal 03

In Log Analytics or diagnostic settings, AppServiceAppLogs, HTTP logs, audit logs, and platform categories show routed long-term records during audits, compliance reviews, and support tickets.

When this becomes relevant

Specific situations where this term helps solve real Azure design, operations, migration, security, reliability, cost, or governance problems.

  • Diagnose startup failures after a runtime stack, container image, app setting, or deployment change.
  • Capture failed requests and exception patterns behind HTTP 500, 502, 503, or authentication errors.
  • Provide retained incident evidence to developers, auditors, Microsoft support, or customer-facing support teams.
  • Tail live logs during a controlled production fix without granting developers full portal administration.
  • Tune log level and retention so troubleshooting evidence exists without uncontrolled ingestion or secret exposure.

Real-world case studies

Different enterprise-style examples that show the term being used to hit measurable objectives.

Case study 01

Nonprofit donation portal restores confidence after failed gifts

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A nonprofit's donation portal on App Service began returning intermittent 500 errors during a televised fundraising campaign. The overview blade showed healthy instances, but donors reported failed card submissions.

Business/Technical Objectives
  • Identify whether failures came from the app, gateway, payment dependency, or deployment.
  • Restore donation flow before the campaign peak hour.
  • Retain evidence for the payment provider and board review.
  • Avoid exposing donor information in troubleshooting logs.
Solution Using App Service logs

Operators enabled controlled App Service application logging and tailed live output while developers reproduced test donations. Deployment logs showed no package failure, but application logs revealed a new payment SDK timeout path after a configuration change. The team reduced the timeout, restarted the app, and routed retained diagnostic logs to the approved workspace for post-incident review. Logging statements were reviewed before sharing evidence to confirm that card data and donor addresses were not present. Azure CLI commands captured log configuration, live timestamps, diagnostic settings, and deployment log excerpts in the incident record. Afterward, the team added correlation IDs, safer exception handling, and a runbook that distinguished payment failures from App Service platform problems.

Results & Business Impact
  • Donation failures fell from 14 percent to below 1 percent within 22 minutes.
  • The campaign recovered an estimated $186,000 in gifts during the final hour.
  • Board incident evidence was ready the next morning instead of after a week of reconstruction.
  • No sensitive payment data was found in the retained log sample.
Key Takeaway for Glossary Readers

App Service logs are valuable when they reveal the failing application path without turning incident evidence into a data leak.

Case study 02

Logistics API team separates deployment failure from runtime failure

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A logistics platform published shipment-label APIs through App Service. After a release, containers restarted repeatedly, and warehouse users could not print labels for outbound trucks.

Business/Technical Objectives
  • Determine whether the failure happened during deployment or container startup.
  • Restore label printing before the afternoon shipping cutoff.
  • Give developers container output without full production access.
  • Standardize logging across staging and production slots.
Solution Using App Service logs

The operations team used App Service logs to inspect deployment output, then tailed live container logs from the production slot. Deployment logs showed a successful image pull, but log stream output revealed that the application exited because an environment variable name changed between staging and production. The team corrected the slot setting, restarted the app, and verified successful startup from live logs before asking warehouses to retry. CLI output from az webapp log deployment show, log tail, and app-setting inspection was saved to the change ticket. The fix was followed by a slot-parity check and a rule that any required setting must be validated before swap. Diagnostic routing was also adjusted so future startup failures remained searchable after live tailing ended.

Results & Business Impact
  • Label printing recovered 41 minutes before the carrier pickup deadline.
  • Mean time to identify the startup cause dropped from previous estimates of two hours to 17 minutes.
  • Developers received exact container output without broad portal permissions.
  • Slot-setting drift checks prevented three later release failures.
Key Takeaway for Glossary Readers

App Service logs help teams distinguish deployment success from runtime startup failure when a release looks healthy but the app is not running.

Case study 03

Media subscription service controls noisy production logging

Scenario, objectives, solution, measured impact, and takeaway.

Scenario

A media subscription service used App Service for account APIs. Engineers enabled debug logging during a login incident, then forgot to reduce the level after traffic returned to normal.

Business/Technical Objectives
  • Reduce unnecessary log ingestion without losing incident visibility.
  • Remove sensitive request fields from application logs.
  • Create a standard production logging baseline.
  • Keep support queries useful for customer login investigations.
Solution Using App Service logs

Platform engineers reviewed App Service log settings, Application Insights telemetry, and workspace ingestion by category. They found repeated debug statements that included partial request payloads and produced high daily ingestion during prime viewing hours. The team changed production log levels to information and warning, removed sensitive fields from authentication messages, and kept short-term verbose logging as a controlled incident action. Azure CLI inventory captured logging configuration for every account API and compared it against the baseline. Diagnostic settings were standardized so request failures, deployment logs, and selected platform logs remained queryable. Support staff received saved KQL queries that used correlation IDs instead of raw payload details. A weekly report now flags apps with unexpected verbose logging or sudden ingestion growth.

Results & Business Impact
  • Log Analytics ingestion for account APIs dropped 38 percent in the first month.
  • Sensitive payload fragments disappeared from sampled production log records.
  • Login incident investigations still had correlation IDs, timestamps, and exception categories.
  • Unexpected verbose logging is now detected within 24 hours instead of during invoice review.
Key Takeaway for Glossary Readers

Good App Service logging is not maximum logging; it is the right evidence, retained safely, at a sustainable volume.

Why use Azure CLI for this?

As an Azure engineer, I use Azure CLI for App Service logs because incident response needs speed and repeatability. I can turn logging on, tail live output, show deployment logs, inspect app settings, and confirm diagnostic settings without clicking through many blades. CLI also helps me capture before-and-after evidence in a change record and apply the same logging baseline across slots, apps, or environments. The portal is comfortable for occasional viewing, but CLI is better when I need consistent troubleshooting commands in runbooks and pipelines. CLI also supports fast comparison across slots when portal views are misleading. Use those comparisons during incidents. It also helps responders avoid changing the wrong slot while a customer-facing incident is active.

CLI use cases

  • Enable or inspect application, web server, detailed error, and failed request logging for a specific web app or slot.
  • Tail live App Service logs during a deployment, restart, startup failure, or dependency incident.
  • Show deployment logs to determine whether a failed release stopped during build, package extraction, startup, or post-deployment steps.
  • List diagnostic settings and confirm whether logs are routed to the approved workspace or storage account.
  • Export logging configuration across apps to find inconsistent retention, log level, or destination settings.

Before you run CLI

  • Confirm the subscription, resource group, app name, and slot before enabling logs or tailing production output.
  • Know whether the app runs on Windows, Linux, or containers because logging options and file locations can differ.
  • Check permissions for App Service and monitoring resources; reading logs may expose sensitive application data.
  • Avoid leaving verbose logging on after troubleshooting, especially for high-traffic apps or sensitive workloads.
  • Use approved storage, workspace, and retention settings before routing logs outside the app's temporary file system.

What output tells you

  • Logging configuration output shows which log categories are enabled, their levels, destinations, quotas, and retention periods.
  • Live log stream output shows current application messages, startup failures, container output, and runtime errors as the app runs.
  • Deployment log output identifies build, package, extraction, startup, and deployment-script failures that may not appear in request logs.
  • Diagnostic settings output proves whether platform logs flow to Log Analytics, storage, or Event Hubs for retention and query.
  • Timestamps, instance names, status codes, and exception messages help connect user impact to deployments, restarts, and dependencies.

Mapped Azure CLI commands

App Service logs CLI commands

direct
az webapp log config --resource-group <resource-group> --name <app-name> --application-logging filesystem --level information
az webapp logconfigureWeb
mutating Microsoft docs
az webapp log tail --resource-group <resource-group> --name <app-name>
az webapp logdiscoverWeb
read-only Microsoft docs
az webapp log deployment show --resource-group <resource-group> --name <app-name>
az webapp log deploymentdiscoverWeb
read-only Microsoft docs
az monitor diagnostic-settings list --resource <resource-id>
az monitor diagnostic-settingsdiscoverAI and Machine Learning
read-only Microsoft docs
az webapp show --resource-group <resource-group> --name <app-name> --query siteConfig --output json
az webappdiscoverWeb
read-only Microsoft docs

Architecture context

In architecture reviews, App Service logs are part of the web platform's evidence path. I design them with Application Insights, Log Analytics, diagnostic settings, alert rules, deployment slots, and support workflows. Temporary file-system logging is useful for short debugging, but production systems need intentional retention and access control. I also decide which teams can view logs because application messages may contain customer identifiers, tokens, or payload fragments if code is careless. A good design separates application telemetry, platform resource logs, deployment evidence, and live triage so each question has the right source. Design retention and routing before production traffic arrives. I also define correlation identifiers so logs, traces, metrics, and gateway records join into one timeline.

Security

Security impact is direct because logs can expose sensitive data if developers write secrets, tokens, personal information, connection strings, or request payloads. Logging destinations also need access control, encryption, retention policy, and review. App Service logs should help detect suspicious behavior, but they should not become a new data leak. Limit who can enable verbose logging in production, disable temporary debugging after use, and review log queries for sensitive output. Pair logging with managed identity, Key Vault, and secure configuration so failures are observable without revealing credentials. Apply retention, workspace RBAC, and redaction before collecting verbose production data. Audit access before enabling verbose logs. Redaction checks belong in release reviews, not only after a sensitive field appears in production logs.

Cost

Cost impact comes from storage, Log Analytics ingestion, retention, and the human time spent searching noisy data. Debug-level logging across busy apps can produce large volumes quickly, especially if request bodies or repeated exceptions are logged. Temporary file-system logging may avoid long-term ingestion cost, but it is not a substitute for retained production evidence. FinOps reviews should look for noisy categories, overly long retention, duplicate telemetry between App Service logs and Application Insights, and apps that log continuously at development verbosity. Useful logs should be affordable and intentional. Set owners for noisy categories so debug settings do not quietly become permanent. Review actual ingestion after incidents, because temporary settings often become permanent without ownership.

Reliability

Reliability impact is practical and direct. Logs do not keep an app alive by themselves, but they shorten detection and recovery when something goes wrong. Startup failures, dependency timeouts, container crashes, failed deployments, and 5xx spikes are much easier to fix when logs capture the right context. Reliability suffers when logging is disabled, too verbose to search, retained for too short a period, or written only to ephemeral storage. Design logging so on-call teams can answer what changed, when errors started, which instance was affected, and whether rollback helped. Validate logging after slot swaps, scale changes, runtime upgrades, and restart events. Logging itself should be monitored so teams notice silent telemetry gaps before the next outage.

Performance

Performance impact is usually indirect, but excessive logging can slow applications, increase I/O, inflate response time, and hide important signals. Synchronous logging, huge payload messages, and chatty debug loops are common culprits. Log streaming is valuable during incidents but should not replace efficient application telemetry. Performance analysis benefits from good logs when they include timestamps, correlation IDs, dependency timing, and instance information. Keep production logging at an appropriate level, sample high-volume details where possible, and use metrics for continuous performance alerts rather than parsing every request message. Structured, focused logs reduce query time and avoid expensive noise during incidents. Keep logging performance in load tests so diagnostic detail does not become a hidden bottleneck.

Operations

Operators use App Service logs for live triage, deployment validation, post-incident analysis, support tickets, audit evidence, and developer handoffs. Common tasks include enabling the correct log type, tailing log stream, checking deployment logs, confirming retention, routing diagnostics to Log Analytics, and tuning log levels after incidents. Runbooks should say which logs to check first for startup, HTTP, deployment, container, authentication, and dependency problems. Operators should also turn off temporary verbose settings after troubleshooting and confirm that log access follows least privilege. Document which logs answer startup, request, dependency, container, and platform questions. Review runbooks before incidents and assign clear owners for each noisy log category. Document which teams can change log levels because a careless debug switch can affect cost and privacy during incident review.

Common mistakes

  • Turning on verbose production logging during an incident and forgetting to turn it off after the fix is complete.
  • Logging secrets, tokens, connection strings, personal data, or full request bodies while trying to improve diagnostics.
  • Assuming log stream output is retained forever instead of configuring durable destinations for production evidence.
  • Checking only application logs when the failure is actually in deployment, platform startup, container launch, or authentication configuration.
  • Using different logging settings across slots, then missing errors that happen only during swap or warm-up.