Azure logs and events

Latest Dynatrace
How-to guide

The new Azure log and event ingest solution is a SaaS-based approach for collecting Azure platform logs and events. It eliminates much of the operational overhead that was required for self-hosting the Dynatrace Azure Log Forwarder.

While onboarding your Azure environment for Dynatrace monitoring, we will deploy the required Azure Event Hubs used by Microsoft for log and event forwarding. Dynatrace automatically discovers and connects to these Azure Event Hubs and starts to pull logs and events, removing the need to host, scale, or maintain any custom function code.

To support your log and event ingestion, follow the steps below and onboard Azure regions.

Diagram - Azure logs and events ingest

Onboard Azure regions

Dynatrace discovers and connects to Event Hubs namespaces based on two requirements:

Azure tags: The Event Hubs namespace must be tagged with managed-by: dynatrace and dt-log-ingest-activated: <monitoring-config-id>. Dynatrace will not connect to namespaces that are missing these tags.
Event Hub naming: By default, Dynatrace expects Event Hub names dt-logs-evh for log forwarding and dt-events-evh for event forwarding. These defaults can be overridden by adding dt-azure-logs-eh* or dt-azure-events-eh* tags to the namespace—see the Azure tags table below for details.

These requirements are satisfied automatically when you deploy using the ARM template below. If you bring your own Event Hubs infrastructure, check if both conditions are met.

It's possible to add additional Azure regions once a connection is already created. You'll need the following details:

Value	Description
Dynatrace environment ID	Your Dynatrace environment identifier.
Monitoring configuration ID	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.
Principal (object) ID	The Object ID of the Azure service principal. Note: This is the Object ID, not the Application (client) ID. Shown in connection Overview.

If the Principal (object) ID is not shown in the connection Overview, retrieve it using the Azure CLI with the Application (client) ID:

az ad sp show --id <application-client-id> --query id -o tsv

To deploy the ARM template, your Azure identity requires:

Contributor at subscription or management group scope—to create resource groups and Event Hub resources.
Owner or User Access Administrator at subscription or management group scope—only required if you select I have permissions to perform Azure Role Assignments during deployment.
A custom role with Microsoft.Authorization/roleAssignments/write permission also satisfies this requirement.

Select the button below to deploy the Azure logs and events infrastructure to your Azure environment. You will be prompted to enter the values described in the table above.

The ARM template source is available on GitHub.

Once deployed, the new region should appear within five minutes in the Logs tab with Deployed status.

Deployed Azure resources per region

The ARM template deploys the following resources into each selected Azure region:

Resource type	Name	Description
`Microsoft.Resources/resourceGroups`	`rg-dt-<environment-id>-<location>`	A dedicated resource group created in the selected region to contain all Dynatrace log ingestion resources.
`Microsoft.EventHub/namespaces`	`evhns-dt-<environment-id>-<location>-<suffix>`	An Event Hub namespace used as the ingestion endpoint. Auto-inflate is enabled for Standard SKU to handle throughput spikes automatically. Tagged with `managed-by: dynatrace` and `dt-log-ingest-activated: <monitoring-config-id>`. The namespace name follows a Dynatrace naming convention but is not a requirement for discovery — Dynatrace discovers namespaces by Azure tags, not by name.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-logs-evh`	Event Hub for Azure Resource Log forwarding via Diagnostic Settings. Default: 4 partitions, 1-day retention. This is the default name—it can be overridden using `dt-azure-logs-eh*` namespace tags.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-events-evh`	Event Hub for Azure Event Grid System Topic subscriptions. Default: 1 partition, 1-day retention. This is the default name—it can be overridden using `dt-azure-events-eh*` namespace tags.
`Microsoft.Authorization/roleAssignments`	`Azure Event Hubs Data Receiver`	RBAC role assigned to the Dynatrace service principal at the resource group scope, granting read access to the Event Hubs namespaces.

The following Azure tags are added to deployed Azure Event Hubs namespaces. Required tags enable automatic discovery; optional tags override the default Event Hubs names.

Key	Value	Required
`managed-by`	`dynatrace`	Yes
`dt-log-ingest-activated`	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.	Yes
`dt-azure-logs-eh` or `dt-azure-logs-eh-<suffix>`	Override the default `dt-logs-evh` event hub name for log forwarding. Use a single tag with comma-separated names (`"my-logs-eh-1, my-logs-eh-2"`) or multiple tags with the `dt-azure-logs-eh-*` prefix (one event hub name per tag).	No
`dt-azure-events-eh` or `dt-azure-events-eh-<suffix>`	Override the default `dt-events-evh` event hub name for event forwarding. Use a single tag with comma-separated names or multiple tags with the `dt-azure-events-eh-*` prefix (one event hub name per tag).	No

Namespace considerations

One Azure connection per namespace

Each Event Hubs namespace supports only one Azure connection. The dt-log-ingest-activated tag accepts a single monitoring configuration ID, so a namespace cannot be associated with more than one connection.

If the Event Hubs namespace or event hub are shared with workloads other than Dynatrace, ensure that sufficient throughput units are provisioned to serve all workloads at peak load. Monitor namespace throughput and throttling errors to detect capacity issues before they affect ingestion.

If you share an event hub with other workloads, those workloads must publish events in the schemas that Dynatrace expects:

Logs event hub (dt-logs-evh default): expects the Azure Monitor resource log schema, as produced by Azure Monitor Diagnostic Settings.
Events event hub (dt-events-evh default): expects CloudEvents v1.0 schema with Azure Event Grid.

Events that do not conform to the expected schema are dropped without being ingested. When this occurs, Dynatrace issues a System Event to alert you. You are responsible for ensuring that any additional workloads publishing to these event hubs use the correct schema. Publishing non-conforming events will also incur Azure costs without any corresponding ingestion benefit.

Reserved consumer group

Dynatrace uses a dedicated dynatrace consumer group on each event hub for ingestion, we do not recommend to use the $Default consumer group. If the dynatrace consumer group does not exist, Dynatrace falls back to the $Default consumer group and issues a system event to alert you.

If the consumer group is missing, create it on both dt-logs-evh and dt-events-evh:

In the Azure portal, go to the Event Hubs namespace.
Under Entities, select Event Hubs.
Select the event hub (for example, dt-logs-evh).
Select Consumer groups > Consumer group.
Enter dynatrace as the name and select Create.
Repeat steps 3–5 for dt-events-evh.

The dynatrace consumer group must not be used by other consumers. Using it outside of Dynatrace will cause ingestion failures.

Azure permissions

During the ARM deployment, role assignment is optional.

If you selected I have permissions to perform Azure Role Assignments, the Azure Event Hubs Data Receiver role is assigned automatically to the Dynatrace service principal at the resource group scope.
If you skipped this step, an administrator must assign the role manually for each deployed region.

Verify the role assignment

In the Azure portal, navigate to the resource group rg-dt-<environment-id>-<location> for each deployed region.
Select Access control (IAM).
Select the Role assignments tab.
Confirm that the Dynatrace service principal has the Azure Event Hubs Data Receiver role assigned at this scope.

Assign the role manually

Repeat the following steps for each region's resource group (rg-dt-<environment-id>-<location>):

Go to the resource group in the Azure portal.
Select Access control (IAM) > Add > Add role assignment.
Search for and select Azure Event Hubs Data Receiver, then select Next.
Under Members, select Select members and search for the Dynatrace service principal by name or by its Object (principal) ID.
Select Review + assign.

The <principal-object-id> is the Object ID of the Dynatrace service principal. You can find it in connection Overview, see Manage Azure connections. It's not the Application (client) ID.

Azure costs

This solution incurs charges across three Azure services:

Azure Event Hubs: Charges are based on the SKU tier (basic versus standard) and the number of active throughput units (TUs).

Choose a configuration size that matches your expected log volume—undersizing risks dropped ingestion, and oversizing adds unnecessary cost.

Configuration size SKU Baseline TU Max TU (auto-inflate) Max throughput
Dev/Test
Basic
1
—
3.6 GB/hour
Small
Standard
1
4
14.4 GB/hour
Medium
Standard
1
16
57.6 GB/hour
Large
Standard
1
32
115.2 GB/hour

Standard SKU configurations use auto-inflate: TUs scale automatically under load up to the Max TU limit. Azure bills for the peak TU count reached each hour, so costs can exceed a baseline estimate during ingestion spikes. Select Custom in the ARM template to set your own TU ceiling and keep costs predictable.

Use the Azure pricing calculator to estimate monthly costs before deploying. Select Event Hubs, choose the matching SKU, and enter the Max TU value for a worst-case estimate. If your log volume is unknown, start with Small and monitor namespace throughput metrics in Azure Monitor—you can redeploy with a larger size at any time.
Azure Monitor log export: Log export via Diagnostic Settings to Event Hubs is billed per GB of data exported. See Azure Monitor pricing for current rates.
Azure Event Grid: Resource lifecycle event forwarding is billed per million operations, with the first 100,000 operations per month at no cost. See Azure Event Grid pricing for current rates.

Configuration size	SKU	Baseline TU	Max TU (auto-inflate)	Max throughput
Dev/Test	Basic	1	—	3.6 GB/hour
Small	Standard	1	4	14.4 GB/hour
Medium	Standard	1	16	57.6 GB/hour
Large	Standard	1	32	115.2 GB/hour

Next steps

With Azure regions onboarded, learn more about forwarding logs and events.

Azure logs

Forward activity logs and resource logs to Dynatrace via Azure Event Hubs.

Azure events

Forward resource lifecycle events—including blob creation and deletion, resource group changes, and service health alerts—to Dynatrace via Azure Event Grid and Event Hubs.

Azure logs and events

Latest Dynatrace
How-to guide

To support your log and event ingestion, follow the steps below and onboard Azure regions.

Diagram - Azure logs and events ingest

Onboard Azure regions

Dynatrace discovers and connects to Event Hubs namespaces based on two requirements:

Azure tags: The Event Hubs namespace must be tagged with managed-by: dynatrace and dt-log-ingest-activated: <monitoring-config-id>. Dynatrace will not connect to namespaces that are missing these tags.
Event Hub naming: By default, Dynatrace expects Event Hub names dt-logs-evh for log forwarding and dt-events-evh for event forwarding. These defaults can be overridden by adding dt-azure-logs-eh* or dt-azure-events-eh* tags to the namespace—see the Azure tags table below for details.

These requirements are satisfied automatically when you deploy using the ARM template below. If you bring your own Event Hubs infrastructure, check if both conditions are met.

It's possible to add additional Azure regions once a connection is already created. You'll need the following details:

Value	Description
Dynatrace environment ID	Your Dynatrace environment identifier.
Monitoring configuration ID	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.
Principal (object) ID	The Object ID of the Azure service principal. Note: This is the Object ID, not the Application (client) ID. Shown in connection Overview.

If the Principal (object) ID is not shown in the connection Overview, retrieve it using the Azure CLI with the Application (client) ID:

az ad sp show --id <application-client-id> --query id -o tsv

To deploy the ARM template, your Azure identity requires:

Contributor at subscription or management group scope—to create resource groups and Event Hub resources.
Owner or User Access Administrator at subscription or management group scope—only required if you select I have permissions to perform Azure Role Assignments during deployment.
A custom role with Microsoft.Authorization/roleAssignments/write permission also satisfies this requirement.

Select the button below to deploy the Azure logs and events infrastructure to your Azure environment. You will be prompted to enter the values described in the table above.

The ARM template source is available on GitHub.

Once deployed, the new region should appear within five minutes in the Logs tab with Deployed status.

Deployed Azure resources per region

The ARM template deploys the following resources into each selected Azure region:

Resource type	Name	Description
`Microsoft.Resources/resourceGroups`	`rg-dt-<environment-id>-<location>`	A dedicated resource group created in the selected region to contain all Dynatrace log ingestion resources.
`Microsoft.EventHub/namespaces`	`evhns-dt-<environment-id>-<location>-<suffix>`	An Event Hub namespace used as the ingestion endpoint. Auto-inflate is enabled for Standard SKU to handle throughput spikes automatically. Tagged with `managed-by: dynatrace` and `dt-log-ingest-activated: <monitoring-config-id>`. The namespace name follows a Dynatrace naming convention but is not a requirement for discovery — Dynatrace discovers namespaces by Azure tags, not by name.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-logs-evh`	Event Hub for Azure Resource Log forwarding via Diagnostic Settings. Default: 4 partitions, 1-day retention. This is the default name—it can be overridden using `dt-azure-logs-eh*` namespace tags.
`Microsoft.EventHub/namespaces/eventhubs`	`dt-events-evh`	Event Hub for Azure Event Grid System Topic subscriptions. Default: 1 partition, 1-day retention. This is the default name—it can be overridden using `dt-azure-events-eh*` namespace tags.
`Microsoft.Authorization/roleAssignments`	`Azure Event Hubs Data Receiver`	RBAC role assigned to the Dynatrace service principal at the resource group scope, granting read access to the Event Hubs namespaces.

The following Azure tags are added to deployed Azure Event Hubs namespaces. Required tags enable automatic discovery; optional tags override the default Event Hubs names.

Key	Value	Required
`managed-by`	`dynatrace`	Yes
`dt-log-ingest-activated`	The ID of the monitoring configuration associated with your Azure connection. Shown in connection Overview.	Yes
`dt-azure-logs-eh` or `dt-azure-logs-eh-<suffix>`	Override the default `dt-logs-evh` event hub name for log forwarding. Use a single tag with comma-separated names (`"my-logs-eh-1, my-logs-eh-2"`) or multiple tags with the `dt-azure-logs-eh-*` prefix (one event hub name per tag).	No
`dt-azure-events-eh` or `dt-azure-events-eh-<suffix>`	Override the default `dt-events-evh` event hub name for event forwarding. Use a single tag with comma-separated names or multiple tags with the `dt-azure-events-eh-*` prefix (one event hub name per tag).	No

Namespace considerations

One Azure connection per namespace

If you share an event hub with other workloads, those workloads must publish events in the schemas that Dynatrace expects:

Logs event hub (dt-logs-evh default): expects the Azure Monitor resource log schema, as produced by Azure Monitor Diagnostic Settings.
Events event hub (dt-events-evh default): expects CloudEvents v1.0 schema with Azure Event Grid.

Reserved consumer group

If the consumer group is missing, create it on both dt-logs-evh and dt-events-evh:

In the Azure portal, go to the Event Hubs namespace.
Under Entities, select Event Hubs.
Select the event hub (for example, dt-logs-evh).
Select Consumer groups > Consumer group.
Enter dynatrace as the name and select Create.
Repeat steps 3–5 for dt-events-evh.

The dynatrace consumer group must not be used by other consumers. Using it outside of Dynatrace will cause ingestion failures.

Azure permissions

During the ARM deployment, role assignment is optional.

If you selected I have permissions to perform Azure Role Assignments, the Azure Event Hubs Data Receiver role is assigned automatically to the Dynatrace service principal at the resource group scope.
If you skipped this step, an administrator must assign the role manually for each deployed region.

Verify the role assignment

In the Azure portal, navigate to the resource group rg-dt-<environment-id>-<location> for each deployed region.
Select Access control (IAM).
Select the Role assignments tab.
Confirm that the Dynatrace service principal has the Azure Event Hubs Data Receiver role assigned at this scope.

Assign the role manually

Repeat the following steps for each region's resource group (rg-dt-<environment-id>-<location>):

Go to the resource group in the Azure portal.
Select Access control (IAM) > Add > Add role assignment.
Search for and select Azure Event Hubs Data Receiver, then select Next.
Under Members, select Select members and search for the Dynatrace service principal by name or by its Object (principal) ID.
Select Review + assign.

The <principal-object-id> is the Object ID of the Dynatrace service principal. You can find it in connection Overview, see Manage Azure connections. It's not the Application (client) ID.

Azure costs

This solution incurs charges across three Azure services:

Azure Event Hubs: Charges are based on the SKU tier (basic versus standard) and the number of active throughput units (TUs).

Choose a configuration size that matches your expected log volume—undersizing risks dropped ingestion, and oversizing adds unnecessary cost.

Configuration size SKU Baseline TU Max TU (auto-inflate) Max throughput
Dev/Test
Basic
1
—
3.6 GB/hour
Small
Standard
1
4
14.4 GB/hour
Medium
Standard
1
16
57.6 GB/hour
Large
Standard
1
32
115.2 GB/hour

Standard SKU configurations use auto-inflate: TUs scale automatically under load up to the Max TU limit. Azure bills for the peak TU count reached each hour, so costs can exceed a baseline estimate during ingestion spikes. Select Custom in the ARM template to set your own TU ceiling and keep costs predictable.

Use the Azure pricing calculator to estimate monthly costs before deploying. Select Event Hubs, choose the matching SKU, and enter the Max TU value for a worst-case estimate. If your log volume is unknown, start with Small and monitor namespace throughput metrics in Azure Monitor—you can redeploy with a larger size at any time.
Azure Monitor log export: Log export via Diagnostic Settings to Event Hubs is billed per GB of data exported. See Azure Monitor pricing for current rates.
Azure Event Grid: Resource lifecycle event forwarding is billed per million operations, with the first 100,000 operations per month at no cost. See Azure Event Grid pricing for current rates.

Configuration size	SKU	Baseline TU	Max TU (auto-inflate)	Max throughput
Dev/Test	Basic	1	—	3.6 GB/hour
Small	Standard	1	4	14.4 GB/hour
Medium	Standard	1	16	57.6 GB/hour
Large	Standard	1	32	115.2 GB/hour

Next steps

With Azure regions onboarded, learn more about forwarding logs and events.

Azure logs

Forward activity logs and resource logs to Dynatrace via Azure Event Hubs.

Azure events

Forward resource lifecycle events—including blob creation and deletion, resource group changes, and service health alerts—to Dynatrace via Azure Event Grid and Event Hubs.

Azure logs and events

Onboard Azure regions

Deployed Azure resources per region

Namespace considerations

One Azure connection per namespace

Share the namespace with other workloads

Event schema requirements when sharing

Reserved consumer group

Azure permissions

Verify the role assignment

Assign the role manually

Azure costs

Next steps

Azure logs

Azure events

Azure logs and events

Onboard Azure regions

Deployed Azure resources per region

Namespace considerations

One Azure connection per namespace

Share the namespace with other workloads

Event schema requirements when sharing

Reserved consumer group

Azure permissions

Verify the role assignment

Assign the role manually

Azure costs

Next steps

Azure logs

Azure events