Starting with version 4.10.0, AxoSyslog can send data to Azure Monitor using its HTTP REST Logs ingestion API. Data sent to Azure Monitor’s Log Analytics is also available from Microsoft Sentinel.
Version 4.10 introduced the azure-monitor-builtin() and azure-monitor-custom() destinations. These were deprecated and unified as azure-monitor() in version 4.11.
Also, the table-name() option of the driver has been renamed to stream-name().
Prerequisites
- An Azure subscription.
- A Microsoft Entra application. You’ll need the Tenant ID, App ID, and App Secret of the application to configure the AxoSyslog destination.
- A Data Collection Endpoint (DCE)
- A Data Collection Rule (DCR)
- A Log Analytics Workspace in Azure.
For details, see the Tutorial: Send data to Azure Monitor Logs with Logs ingestion API.
Configuration
The azure-monitor() driver sends data to the built-in tables of Azure Monitor. The body of the message (${MESSAGE}) must be in JSON format. The keys in the JSON array must have the same names as the columns of the table (you can use format-json or ‘FilterX`). If a field is empty, or Azure cannot parse it, it will be blank. The following example sends data to the syslog table.
destination d_azure {
azure-monitor(
stream-name("syslog")
dcr-id("my-dcr-id")
dce-uri("https://dce-uri.ingest.monitor.azure.com")
template("$MESSAGE")
auth(tenant-id("my-tenant-id") app-id("my-app-id") app-secret("my-app-secret"))
);
};
This driver is actually a reusable configuration snippet configured to send log messages using the http() driver using a template. You can find the source of this configuration snippet on GitHub.
Options
The following options are specific to the azure-monitor() destination. But since this destination is based on the http() destination, you can use the options of the http() destination as well if needed.
Note: The
azure-monitor()destination automatically configures some of thesehttp()destination options as required by the Azure Monitor Logs ingestion API.
auth()
Options for OAUTH2 authentication for Azure.
To authenticate, you need to register a Microsoft Entra application. You’ll need the Tenant ID, App ID, and App Secret of this application to configure the AxoSyslog destination.
app-id()
| Type: | string |
| Default: |
Description: Application (client) ID of the Microsoft Entra application.
app-secret()
| Type: | string |
| Default: |
Description: The Client secret of the Microsoft Entra application.
tenant-id()
| Type: | string |
| Default: |
Description: Directory (tenant) ID of the Microsoft Entra application.
dce-uri()
| Type: | string |
| Default: | - |
Description: The URI of your Data Collection Endpoint (DCE).
dcr-id()
| Type: | string |
| Default: | - |
Description: The ID of the Azure Monitor Data Collection Rule (DCR) where AxoSyslog sends the data.
table-name()
This option was available in version 4.10, but has been deprecated in 4.11. Use stream-name() instead.
stream-name()
| Type: | string |
| Default: | - |
Description: The name of the table in the Log Analytics Workspace where AxoSyslog sends the data, for example, syslog.