This page explains how to forward Azure logs to Dynatrace via Event Hubs. It covers the following log sources:
For each source, you'll find step-by-step instructions for configuring diagnostic settings or continuous export, plus recommended Azure Policy approaches for enforcing log forwarding at scale across subscriptions and management groups.
Azure activity logs capture subscription-level management operations, including resource creation and deletion, policy evaluations, and Azure service health events.
To forward activity logs to Dynatrace, configure Diagnostics settings at the subscription scope to route them to the Event Hubs namespace deployed by the ARM template.
Activity logs are global, and not region-specific; a single diagnostic setting per subscription is sufficient regardless of how many regions to which the ARM template has been deployed.
dt-logs-evh.Manually configuring a diagnostic setting per subscription is manageable for small environments, but Azure Policy allows you to automatically enforce activity log forwarding across all subscriptions in a management group.
Microsoft does not provide a built-in Azure Policy definition for streaming activity logs to an Event Hubs. The community-authored policy Configure Azure Activity logs to stream to specified Event Hub v2 (policy ID b2215d7b-25ea-411f-8b04-8c30dc61bad9) from the Azure/Community-Policy repository covers this scenario. Review the policy definition before deploying it in your environment.
Import the community policy definition into your Azure environment. Replace <management-group-id> with your management group ID:
BASE_URL="https://raw.githubusercontent.com/Azure/Community-Policy/main/policyDefinitions/Monitoring/configure-azure-activity-logs-to-stream-to-specified-event-hub-v2"curl -sO "${BASE_URL}/azurepolicy.rules.json"curl -sO "${BASE_URL}/azurepolicy.parameters.json"az policy definition create \--name 'configure-activity-log-to-event-hub' \--display-name 'Configure Azure Activity logs to stream to specified Event Hub v2' \--rules @azurepolicy.rules.json \--params @azurepolicy.parameters.json \--management-group <management-group-id>
Select the imported policy definition and select Assign.
Scope the assignment to the desired Management Group.
Under Parameters, uncheck Only show parameters that need input or review and set the following:
dt-logs-evhSelect Review + create, then Create.
Unlike resource log policies, activity log forwarding does not require a region-specific Event Hubs; a single policy assignment per management group or subscription is sufficient.
Microsoft Entra ID audit logs capture tenant-wide identity events including user sign-ins, group membership changes, app registrations, role assignments, and MFA activity. To forward these logs to Dynatrace, configure diagnostic settings in the Microsoft Entra ID portal to route them to the Event Hubs namespace deployed by the ARM template.
Entra ID diagnostic settings are tenant-scoped, not subscription-scoped. A single diagnostic setting forwards logs for all users and applications in the tenant regardless of how many Azure subscriptions or regions the ARM template has been deployed to.
In the Azure portal, navigate to Microsoft Entra ID > Diagnostic settings.
Select + Add diagnostic setting.
Enter a name for the diagnostic setting.
Under Category details, select the log categories to forward (for example, AuditLogs, SignInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs, ProvisioningLogs).
Under Destination details, select Stream to an event hub.
Select the Subscription and any regional Event Hub namespace deployed by the ARM template. Entra ID logs are tenant-scoped, so any regional namespace works. For Event Hub name, select dt-logs-evh.
Select Save.
Microsoft Defender for Cloud generates security alerts and recommendations for your Azure resources. To forward these to Dynatrace, configure Continuous export in Defender for Cloud to stream data to the Event Hubs namespace deployed by the ARM template.
Continuous export is configured per subscription. A separate configuration is required for each subscription from which you want to forward Defender for Cloud data.
In the Azure portal, go to Microsoft Defender for Cloud > Environment settings.
Select the subscription you want to configure.
Select Continuous export from the left menu.
Select the Event Hub tab.
Set Export enabled to On.
Under Exported data types, select the data types to forward (for example, Security alerts, Recommendations, Secure score, Regulatory compliance).
Under Export target, select the Subscription, and any regional Event Hub namespace deployed by the ARM template. Defender for cloud data is not region-specific, so any regional namespace works. For Event Hub name, select dt-logs-evh.
Select Save.
Azure Policy allows you to automatically enforce Defender for cloud continuous export configuration across all subscriptions in a management group using the built-in policy Deploy export to Event Hub for Microsoft Defender for Cloud data.
In the Azure portal, go to Policy > Definitions and search for Deploy export to Event Hub for Microsoft Defender for Cloud data.
Select the policy and select Assign.
Scope the assignment to the desired Management Group.
Under Parameters, uncheck Only show parameters that need input or review and set the following inputs:
dt-logs-evh Event Hub deployed by the ARM templateEnable the Create a remediation task option to apply the policy to existing subscriptions immediately.
Select Review + create, and then Create.
Azure resource logs capture control-plane and data-plane operations for individual Azure resources (for example, Azure Key Vault access logs, Azure SQL query logs, Azure Storage operations). To forward these logs to Dynatrace, configure Azure diagnostic settings to route logs to the Event Hubs namespace deployed by the ARM template.
Azure diagnostic setting must be configured for each resource or resource type from which you want to forward logs.
dt-logs-evh.Repeat this for each resource or resource type you want to monitor.
Manually configuring diagnostic settings for each resource is impractical at scale. Azure Policy allows you to automatically enforce diagnostic settings across all resources of a given type in a subscription or management group.
Microsoft provides built-in policies following the pattern Enable logging by category group for <service> to Event Hub for many resource types. These policies expose an Event Hub name parameter and allow you to select which log categories to forward.
In the Azure portal, go to Policy > Definitions and search for Enable logging by category group for followed by your resource type (for example, Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub).
Select the policy definition and select Assign.
Scope the assignment to the desired Subscription or Management Group.
Under Parameters, uncheck Only show parameters that need input or review and set the following:
setByPolicy-EventHub or enter a custom name.audit for audit logs, or allLogs for all log categories).dt-logs-evh (the default is Monitoring—this must be changed).Select Create a remediation task to apply the policy to existing resources immediately.
Select Review + create, and then Create.
Azure provides built-in policy initiatives that group together Enable logging by category group policies for all supported resource types. Assigning a single initiative automatically enforces diagnostic settings across all covered resource types in the selected scope, without needing to assign individual policies per resource type.
In the Azure portal, go to Policy > Definitions and change the Type filter to Initiative.
Search for Enable Audit Category Group Resource Logging for Supported Resources to an Event Hub (or the equivalent allLogs variant for all log categories).
Select the initiative and select Assign.
Scope the assignment to the desired Subscription or Management Group.
Under Parameters, uncheck Only show parameters that need input or review and set the following:
setByPolicy-EventHub or enter a custom name.dt-logs-evh (the default is Monitoring—this must be changed).All selected. Optionally narrow this to specific resource types if you only want to enforce logging for a subset of supported services.On the Remediation tab, enable Create a remediation task. Initiatives require a separate remediation task per member policy to apply the setting to existing resources—select each policy in the list and create a task for it.
Select Review + create, and then Create.
If a resource type is not covered by the built-in initiative or an individual Enable logging by category group policy, community-authored policies from the Azure/Community-Policy repository (under policyDefinitions/Monitoring/) provide a fallback. These policies forward all available log categories, expose an Event Hub name parameter for direct routing to dt-logs-evh, and must be imported before assignment.
Review any community policy definition before deploying it in your environment.
Import the policy first. Replace <policy-folder>, <policy-name>, and <management-group-id> with your values:
BASE_URL="https://raw.githubusercontent.com/Azure/Community-Policy/main/policyDefinitions/Monitoring/<policy-folder>"curl -sO "${BASE_URL}/azurepolicy.rules.json"curl -sO "${BASE_URL}/azurepolicy.parameters.json"az policy definition create \--name '<policy-name>' \--display-name '<policy-display-name>' \--rules @azurepolicy.rules.json \--params @azurepolicy.parameters.json \--management-group <management-group-id>
Then assign the policy:
Select the imported policy definition and select Assign.
Scope the assignment to the desired Subscription or Management Group.
Under Parameters, uncheck Only show parameters that need input or review and set the following:
dt-logs-evhSelect Create a remediation task to apply the policy to existing resources immediately.
Select Review + create, and then Create.
Built-in Deploy Diagnostic Settings for <service> to Event Hub policies are an alternative for some resource types, but they do not expose an event hub name parameter—Azure auto-names the destination event hub. To use them with Dynatrace, add the dt-azure-logs-eh tag to the Event Hubs namespace with the auto-named event hub name as its value. See Azure logs and events for tag configuration details.
If no built-in or community policy exists for your resource type, you can author your own deployIfNotExists policy to enforce diagnostic settings at scale.
Initiative (policy set) to group multiple per-service policies and assign them together across your environment.
Notebooks You can query Azure logs ingested via Dynatrace using
Notebooks and DQL.
Use the dt.da.source attribute to filter for logs ingested through the Azure logs ingest pipeline.
fetch logs| filter dt.da.source == "azure-log-ingest"| sort timestamp desc