Azure logs and events

Latest Dynatrace
How-to guide

The new Azure log and event ingest solution is a SaaS-based approach for collecting Azure platform logs and events. It eliminates much of the operational overhead that was required for self-hosting the Dynatrace Azure Log Forwarder.

While onboarding your Azure environment for Dynatrace monitoring, we will deploy the required Azure Event Hubs used by Microsoft for log and event forwarding. Dynatrace automatically discovers and connects to these Azure Event Hubs and starts to pull logs and events, removing the need to host, scale, or maintain any custom function code.

To support your log and event ingestion, follow the steps below and onboard Azure regions.

Diagram - Azure logs and events ingest

Onboard Azure regions

Dynatrace discovers and connects to Event Hubs namespaces based on two requirements:

Azure tags: The Event Hubs namespace must be tagged with managed-by: dynatrace and dt-log-ingest-activated: <monitoring-config-id>. Dynatrace will not connect to namespaces that are missing these tags.
Event Hub naming: Within the namespace, Dynatrace expects specific Event Hub names: dt-logs-evh for log forwarding, and dt-events-evh for event forwarding. Event Hubs with names which do not follow this convention are ignored.

These requirements are satisfied automatically when you deploy using the ARM template below. If you bring your own Event Hubs infrastructure, check if both conditions are met.

It's possible to add additional Azure regions once a connection is already created. You'll need the following details:

Value	Description
Dynatrace environment ID	Your Dynatrace environment identifier.
Monitoring configuration ID	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.
Principal (object) ID	The Object ID of the Azure service principal. Note: This is the Object ID, not the Application (client) ID. Shown in connection Overview.

If the Principal (object) ID is not shown in the connection Overview, retrieve it using the Azure CLI with the Application (client) ID:

az ad sp show --id <application-client-id> --query id -o tsv

Select the button below to deploy the Azure logs and events infrastructure to your Azure environment. You will be prompted to enter the values described in the table above.

The ARM template source is available on GitHub.

Once deployed, the new region should appear within five minutes in the Logs tab with Deployed status.

Deployed Azure resources per region

The ARM template deploys the following resources into each selected Azure region:

Resource type	Name	Description
`Microsoft.Resources/resourceGroups`	`rg-dt-<environment-id>-<location>`	A dedicated resource group created in the selected region to contain all Dynatrace log ingestion resources.
`Microsoft.EventHub/namespaces`	`evhns-dt-<environment-id>-<location>-<suffix>`	An Event Hub namespace used as the ingestion endpoint. Auto-inflate is enabled for Standard SKU to handle throughput spikes automatically. Tagged with `managed-by: dynatrace` and `dt-log-ingest-activated: <monitoring-config-id>`.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-logs-evh`	Event Hub for Azure Resource Log forwarding via Diagnostic Settings. Default: 4 partitions, 1-day retention.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-events-evh`	Event Hub for Azure Event Grid System Topic subscriptions. Default: 1 partition, 1-day retention.
`Microsoft.Authorization/roleAssignments`	`Azure Event Hubs Data Receiver`	RBAC role assigned to the Dynatrace service principal at the resource group scope, granting read access to the Event Hub namespaces.

The following Azure tags are added to deployed Azure Event Hubs namespaces, these are required for automatic discovery of Azure logs and events infrastructure:

Key	Value
`managed-by`	`dynatrace`
`dt-log-ingest-activated`	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.

Azure costs

This solution incurs charges across three Azure services:

Azure Event Hubs: Charges are based on the SKU tier (basic versus standard) and the number of active throughput units (TUs). Choose a configuration size that matches your expected log volume—undersizing risks dropped ingestion, and oversizing adds unnecessary cost.

Configuration size SKU Baseline TU Max TU (auto-inflate) Max throughput
Dev/Test
Basic
1
—
3.6 GB/hour
Small
Standard
1
4
14.4 GB/hour
Medium
Standard
1
16
57.6 GB/hour
Large
Standard
1
32
115.2 GB/hour

Standard SKU configurations use auto-inflate: TUs scale automatically under load up to the Max TU limit. Azure bills for the peak TU count reached each hour, so costs can exceed a baseline estimate during ingestion spikes. Select Custom in the ARM template to set your own TU ceiling and keep costs predictable.

Use the Azure pricing calculator to estimate monthly costs before deploying. Select Event Hubs, choose the matching SKU, and enter the Max TU value for a worst-case estimate. If your log volume is unknown, start with Small and monitor namespace throughput metrics in Azure Monitor—you can redeploy with a larger size at any time.
Azure Monitor log export: Log export via Diagnostic Settings to Event Hubs is billed per GB of data exported. See Azure Monitor pricing for current rates.
Azure Event Grid: Resource lifecycle event forwarding is billed per million operations, with the first 100,000 operations per month at no cost. See Azure Event Grid pricing for current rates.

Configuration size	SKU	Baseline TU	Max TU (auto-inflate)	Max throughput
Dev/Test	Basic	1	—	3.6 GB/hour
Small	Standard	1	4	14.4 GB/hour
Medium	Standard	1	16	57.6 GB/hour
Large	Standard	1	32	115.2 GB/hour

Next steps

With Azure regions onboarded, learn more about forwarding logs and events.

Azure logs

Forward activity logs and resource logs to Dynatrace via Azure Event Hubs.

Azure events

Forward resource lifecycle events—including blob creation and deletion, resource group changes, and service health alerts—to Dynatrace via Azure Event Grid and Event Hubs.