Azure logs

  • Latest Dynatrace
  • How-to guide
  • Published Apr 30, 2026

Enable activity log forwarding

Azure activity logs capture subscription-level management operations, including resource creation and deletion, policy evaluations, and Azure service health events. To forward activity logs to Dynatrace, configure Diagnostics settings at the subscription scope to route them to the Event Hubs namespace deployed by the ARM template.

Activity logs are global, and not region-specific; a single diagnostic setting per subscription is sufficient regardless of how many regions to which the ARM template has been deployed.

  1. In the Azure Portal, go to Monitor > Activity log.
  2. Select Export Activity Logs > Subscription > + Add diagnostic setting.
  3. Enter a name for the diagnostic setting.
  4. Under Category details, select the log categories to forward (for example, Administrative, Security, Service Health, Policy).
  5. Under Destination details, select Stream to an event hub.
  6. Select the Subscription and any regional Event Hub namespace deployed by the ARM template. Activity logs are global, so any regional namespace works. For Event Hub name, select dt-logs-evh.
  7. Select Save.

Use Azure Policy to enable activity log forwarding at scale Recommended

Manually configuring a diagnostic setting per subscription is manageable for small environments, but Azure Policy allows you to automatically enforce activity log forwarding across all subscriptions in a management group.

Microsoft does not provide a built-in Azure Policy definition for streaming activity logs to an Event Hubs. The community-authored policy Configure Azure Activity logs to stream to specified Event Hub v2 (policy ID b2215d7b-25ea-411f-8b04-8c30dc61bad9) from the Azure/Community-Policy repository covers this scenario. Review the policy definition before deploying it in your environment.

  1. Import the community policy definition into your Azure environment. Replace <management-group-id> with your management group ID:

    BASE_URL="https://raw.githubusercontent.com/Azure/Community-Policy/main/policyDefinitions/Monitoring/configure-azure-activity-logs-to-stream-to-specified-event-hub-v2"
    curl -sO "${BASE_URL}/azurepolicy.rules.json"
    curl -sO "${BASE_URL}/azurepolicy.parameters.json"
    az policy definition create \
    --name 'configure-activity-log-to-event-hub' \
    --display-name 'Configure Azure Activity logs to stream to specified Event Hub v2' \
    --rules @azurepolicy.rules.json \
    --params @azurepolicy.parameters.json \
    --management-group <management-group-id>

  2. Select the imported policy definition and select Assign.

  3. Scope the assignment to the desired Management Group.

  4. Under Parameters, uncheck Only show parameters that need input or review and set the following:

    • Event Hub Authorization Rule Id for the Event Hub namespace deployed by the ARM template
    • Event Hub name to dt-logs-evh

  5. Select Review + create, then Create.

Unlike resource log policies, activity log forwarding does not require a region-specific Event Hubs; a single policy assignment per management group or subscription is sufficient.

Enable Azure resource log forwarding

Azure resource logs capture control-plane and data-plane operations for individual Azure resources (for example, Azure Key Vault access logs, Azure SQL query logs, Azure Storage operations). To forward these logs to Dynatrace, configure Azure diagnostic settings to route logs to the Event Hubs namespace deployed by the ARM template.

Configure diagnostic settings

Azure diagnostic setting must be configured for each resource or resource type from which you want to forward logs.

  1. In the Azure Portal, go to the resource from which you want to forward logs.
  2. Select Monitoring > Diagnostics settings from the left menu.
  3. Select Add diagnostic setting.
  4. Enter a name for the diagnostic setting.
  5. Under Destination details, select Stream to an event hub.
  6. Select the Subscription and Event Hub namespace deployed by the ARM template in the same region as the resource. For Event Hub, select dt-logs-evh.
  7. Under Logs, select the log categories you want to forward.
  8. Select Save.

Repeat this for each resource or resource type you want to monitor.

Use Azure Policy to configure diagnostic settings at scale Recommended

Manually configuring diagnostic settings for each resource is impractical at scale. Azure Policy allows you to automatically enforce diagnostic settings across all resources of a given type in a subscription or management group.

  1. In the Azure Portal, go to Policy > Definitions and search for built-in policies with the pattern Configure diagnostic settings for <service> to Event Hub.

  2. Select the appropriate policy for your resource type (for example, Configure diagnostic settings for Azure Key Vault to Event Hub).

  3. Select Assign.

  4. Scope the assignment to the desired Subscription or Management Group.

  5. Under Parameters, uncheck Only show parameters that need input or review and set the following inputs:

    • Azure resource Location
    • Event Hub Authorization Rule Id for the Event Hub namespace in same location selected above
    • Event Hub name to dt-logs-evh

  6. Select Create a remediation task to apply the policy to existing resources immediately.

  7. Select Review + create, and then Create.

  • Use an Azure Policy Initiative (policy set) to group multiple per-service diagnostic setting policies and assign them together across your environment.
  • Policy assignments apply to new resources automatically. For existing resources, create a remediation task to apply the setting retroactively.

Query Azure logs in Notebooks Notebooks

You can query Azure logs ingested via Dynatrace using Notebooks Notebooks and DQL.

Use the dt.da.source attribute to filter for logs ingested through the Azure logs ingest pipeline.

fetch logs
| filter dt.da.source == "azure-log-ingest"
| sort timestamp desc
Related tags
Infrastructure Observability