Try it free

Forward Azure logs

  • Latest Dynatrace
  • How-to guide

This page explains how to forward Azure logs to Dynatrace via Event Hubs. It covers the following log sources:

  • Activity logs (subscription-level management operations)
  • Microsoft Entra ID audit logs (tenant-wide identity events)
  • Microsoft Defender for Cloud alerts
  • Azure resource logs (per-resource control-plane and data-plane operations).

For each source, you'll find step-by-step instructions for configuring diagnostic settings or continuous export, plus recommended Azure Policy approaches for enforcing log forwarding at scale across subscriptions and management groups.

Enable activity log forwarding

Azure activity logs capture subscription-level management operations, including resource creation and deletion, policy evaluations, and Azure service health events.

To forward activity logs to Dynatrace, configure Diagnostics settings at the subscription scope to route them to the Event Hubs namespace deployed by the ARM template.

Activity logs are global, and not region-specific; a single diagnostic setting per subscription is sufficient regardless of how many regions to which the ARM template has been deployed.

  1. In the Azure portal, go to Monitor > Activity log.
  2. Select Export Activity Logs > Subscription > + Add diagnostic setting.
  3. Enter a name for the diagnostic setting.
  4. Under Category details, select the log categories to forward (for example, Administrative, Security, Service Health, Policy).
  5. Under Destination details, select Stream to an event hub.
  6. Select the Subscription and any regional Event Hub namespace deployed by the ARM template. Activity logs are global, so any regional namespace works. For Event Hub name, select dt-logs-evh.
  7. Select Save.

Use Azure Policy to enable activity log forwarding at scaleRecommended

Manually configuring a diagnostic setting per subscription is manageable for small environments, but Azure Policy allows you to automatically enforce activity log forwarding across all subscriptions in a management group.

Microsoft does not provide a built-in Azure Policy definition for streaming activity logs to an Event Hubs. The community-authored policy Configure Azure Activity logs to stream to specified Event Hub v2 (policy ID b2215d7b-25ea-411f-8b04-8c30dc61bad9) from the Azure/Community-Policy repository covers this scenario. Review the policy definition before deploying it in your environment.

  1. Import the community policy definition into your Azure environment. Replace <management-group-id> with your management group ID:

    BASE_URL="https://raw.githubusercontent.com/Azure/Community-Policy/main/policyDefinitions/Monitoring/configure-azure-activity-logs-to-stream-to-specified-event-hub-v2"
    curl -sO "${BASE_URL}/azurepolicy.rules.json"
    curl -sO "${BASE_URL}/azurepolicy.parameters.json"
    az policy definition create \
    --name 'configure-activity-log-to-event-hub' \
    --display-name 'Configure Azure Activity logs to stream to specified Event Hub v2' \
    --rules @azurepolicy.rules.json \
    --params @azurepolicy.parameters.json \
    --management-group <management-group-id>
  2. Select the imported policy definition and select Assign.

  3. Scope the assignment to the desired Management Group.

  4. Under Parameters, uncheck Only show parameters that need input or review and set the following:

    • Event Hub Authorization Rule Id for the Event Hub namespace deployed by the ARM template
    • Event Hub name to dt-logs-evh
  5. Select Review + create, then Create.

Unlike resource log policies, activity log forwarding does not require a region-specific Event Hubs; a single policy assignment per management group or subscription is sufficient.

Enable Microsoft Entra ID audit log forwarding

Microsoft Entra ID audit logs capture tenant-wide identity events including user sign-ins, group membership changes, app registrations, role assignments, and MFA activity. To forward these logs to Dynatrace, configure diagnostic settings in the Microsoft Entra ID portal to route them to the Event Hubs namespace deployed by the ARM template.

Entra ID diagnostic settings are tenant-scoped, not subscription-scoped. A single diagnostic setting forwards logs for all users and applications in the tenant regardless of how many Azure subscriptions or regions the ARM template has been deployed to.

  1. In the Azure portal, navigate to Microsoft Entra ID > Diagnostic settings.

  2. Select + Add diagnostic setting.

  3. Enter a name for the diagnostic setting.

  4. Under Category details, select the log categories to forward (for example, AuditLogs, SignInLogs, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ManagedIdentitySignInLogs, ProvisioningLogs).

  5. Under Destination details, select Stream to an event hub.

  6. Select the Subscription and any regional Event Hub namespace deployed by the ARM template. Entra ID logs are tenant-scoped, so any regional namespace works. For Event Hub name, select dt-logs-evh.

  7. Select Save.

Enable Microsoft Defender for Cloud alert forwarding

Microsoft Defender for Cloud generates security alerts and recommendations for your Azure resources. To forward these to Dynatrace, configure Continuous export in Defender for Cloud to stream data to the Event Hubs namespace deployed by the ARM template.

Continuous export is configured per subscription. A separate configuration is required for each subscription from which you want to forward Defender for Cloud data.

  1. In the Azure portal, go to Microsoft Defender for Cloud > Environment settings.

  2. Select the subscription you want to configure.

  3. Select Continuous export from the left menu.

  4. Select the Event Hub tab.

  5. Set Export enabled to On.

  6. Under Exported data types, select the data types to forward (for example, Security alerts, Recommendations, Secure score, Regulatory compliance).

  7. Under Export target, select the Subscription, and any regional Event Hub namespace deployed by the ARM template. Defender for cloud data is not region-specific, so any regional namespace works. For Event Hub name, select dt-logs-evh.

  8. Select Save.

Use Azure Policy to enable continuous export at scaleRecommended

Azure Policy allows you to automatically enforce Defender for cloud continuous export configuration across all subscriptions in a management group using the built-in policy Deploy export to Event Hub for Microsoft Defender for Cloud data.

  1. In the Azure portal, go to Policy > Definitions and search for Deploy export to Event Hub for Microsoft Defender for Cloud data.

  2. Select the policy and select Assign.

  3. Scope the assignment to the desired Management Group.

  4. Under Parameters, uncheck Only show parameters that need input or review and set the following inputs:

    • Event Hub resource ID for the dt-logs-evh Event Hub deployed by the ARM template
    • Exported data types (Security alerts, Recommendations, Secure score, Regulatory compliance)
  5. Enable the Create a remediation task option to apply the policy to existing subscriptions immediately.

  6. Select Review + create, and then Create.

Enable Azure resource log forwarding

Azure resource logs capture control-plane and data-plane operations for individual Azure resources (for example, Azure Key Vault access logs, Azure SQL query logs, Azure Storage operations). To forward these logs to Dynatrace, configure Azure diagnostic settings to route logs to the Event Hubs namespace deployed by the ARM template.

Configure diagnostic settings

Azure diagnostic setting must be configured for each resource or resource type from which you want to forward logs.

  1. In the Azure portal, go to the resource from which you want to forward logs.
  2. Select Monitoring > Diagnostics settings from the left menu.
  3. Select Add diagnostic setting.
  4. Enter a name for the diagnostic setting.
  5. Under Destination details, select Stream to an event hub.
  6. Select the Subscription and Event Hub namespace deployed by the ARM template in the same region as the resource. For Event Hub, select dt-logs-evh.
  7. Under Logs, select the log categories you want to forward.
  8. Select Save.

Repeat this for each resource or resource type you want to monitor.

Use Azure Policy to configure diagnostic settings at scaleRecommended

Manually configuring diagnostic settings for each resource is impractical at scale. Azure Policy allows you to automatically enforce diagnostic settings across all resources of a given type in a subscription or management group.

Use built-in policies for granular log category control

Microsoft provides built-in policies following the pattern Enable logging by category group for <service> to Event Hub for many resource types. These policies expose an Event Hub name parameter and allow you to select which log categories to forward.

  1. In the Azure portal, go to Policy > Definitions and search for Enable logging by category group for followed by your resource type (for example, Enable logging by category group for microsoft.timeseriesinsights/environments/eventsources to Event Hub).

  2. Select the policy definition and select Assign.

  3. Scope the assignment to the desired Subscription or Management Group.

  4. Under Parameters, uncheck Only show parameters that need input or review and set the following:

    • Diagnostic Setting Name: Leave as the default setByPolicy-EventHub or enter a custom name.
    • Category Group: Select the log category group to forward (for example, audit for audit logs, or allLogs for all log categories).
    • Resource Location: Select the region matching the target resources and the Event Hubs namespace.
    • Event Hub Authorization Rule Id: The authorization rule ID for the Event Hubs namespace deployed by the ARM template in the same region as the target resources.
    • Event Hub Name: dt-logs-evh (the default is Monitoring—this must be changed).
  5. Select Create a remediation task to apply the policy to existing resources immediately.

  6. Select Review + create, and then Create.

Use a built-in policy initiative to cover all supported resource types

Azure provides built-in policy initiatives that group together Enable logging by category group policies for all supported resource types. Assigning a single initiative automatically enforces diagnostic settings across all covered resource types in the selected scope, without needing to assign individual policies per resource type.

  1. In the Azure portal, go to Policy > Definitions and change the Type filter to Initiative.

  2. Search for Enable Audit Category Group Resource Logging for Supported Resources to an Event Hub (or the equivalent allLogs variant for all log categories).

  3. Select the initiative and select Assign.

  4. Scope the assignment to the desired Subscription or Management Group.

  5. Under Parameters, uncheck Only show parameters that need input or review and set the following:

    • Diagnostic Setting Name: Leave as the default setByPolicy-EventHub or enter a custom name.
    • Resource Location: Select the region matching the target resources and the Event Hubs namespace.
    • Event Hub Authorization Rule Id: The authorization rule ID for the Event Hubs namespace deployed by the ARM template in the same region as the target resources.
    • Event Hub Name: dt-logs-evh (the default is Monitoring—this must be changed).
    • Resource Types: Defaults to All selected. Optionally narrow this to specific resource types if you only want to enforce logging for a subset of supported services.
  6. On the Remediation tab, enable Create a remediation task. Initiatives require a separate remediation task per member policy to apply the setting to existing resources—select each policy in the list and create a task for it.

  7. Select Review + create, and then Create.

Use community-authored policies for unsupported resource types

If a resource type is not covered by the built-in initiative or an individual Enable logging by category group policy, community-authored policies from the Azure/Community-Policy repository (under policyDefinitions/Monitoring/) provide a fallback. These policies forward all available log categories, expose an Event Hub name parameter for direct routing to dt-logs-evh, and must be imported before assignment.

Review any community policy definition before deploying it in your environment.

Import the policy first. Replace <policy-folder>, <policy-name>, and <management-group-id> with your values:

BASE_URL="https://raw.githubusercontent.com/Azure/Community-Policy/main/policyDefinitions/Monitoring/<policy-folder>"
curl -sO "${BASE_URL}/azurepolicy.rules.json"
curl -sO "${BASE_URL}/azurepolicy.parameters.json"
az policy definition create \
--name '<policy-name>' \
--display-name '<policy-display-name>' \
--rules @azurepolicy.rules.json \
--params @azurepolicy.parameters.json \
--management-group <management-group-id>

Then assign the policy:

  1. Select the imported policy definition and select Assign.

  2. Scope the assignment to the desired Subscription or Management Group.

  3. Under Parameters, uncheck Only show parameters that need input or review and set the following:

    • Event Hub Authorization Rule Id: The authorization rule ID for the Event Hubs namespace deployed by the ARM template in the same region as the target resources.
    • Event Hub Name: dt-logs-evh
    • Event Hub Location: The region matching the target resources and the Event Hubs namespace above.
  4. Select Create a remediation task to apply the policy to existing resources immediately.

  5. Select Review + create, and then Create.

Built-in Deploy Diagnostic Settings for <service> to Event Hub policies are an alternative for some resource types, but they do not expose an event hub name parameter—Azure auto-names the destination event hub. To use them with Dynatrace, add the dt-azure-logs-eh tag to the Event Hubs namespace with the auto-named event hub name as its value. See Azure logs and events for tag configuration details.

Author your own policy

If no built-in or community policy exists for your resource type, you can author your own deployIfNotExists policy to enforce diagnostic settings at scale.

  • Resource log policies are region-specific. Create one assignment per region where your resources are deployed, selecting the matching Event Hub namespace each time.
  • Use an Azure Policy Initiative (policy set) to group multiple per-service policies and assign them together across your environment.
  • Policy assignments apply to new resources automatically. For existing resources, create a remediation task to apply the setting retroactively.

Query Azure logs in Notebooks Notebooks

You can query Azure logs ingested via Dynatrace using Notebooks Notebooks and DQL.

Use the dt.da.source attribute to filter for logs ingested through the Azure logs ingest pipeline.

fetch logs
| filter dt.da.source == "azure-log-ingest"
| sort timestamp desc
Related tags
Infrastructure Observability