# Send data to Azure Monitor and Sentinel Starting with version 4.10.0, AxoSyslog can send data to [Azure Monitor]() using its [HTTP REST Logs ingestion API](). Data sent to Azure Monitor’s Log Analytics is also available from [Microsoft Sentinel](). Note Version 4.10 introduced the `azure-monitor-builtin()` and `azure-monitor-custom()` destinations. These were deprecated and unified as `azure-monitor()` in version 4.11. Also, the `table-name()` option of the driver has been renamed to `stream-name()`. ## Prerequisites * An Azure subscription. * A [Microsoft Entra application](). You’ll need the Tenant ID, App ID, and App Secret of the application to configure the AxoSyslog destination. * A [Data Collection Endpoint (DCE)]() * A [Data Collection Rule (DCR)]() * A [Log Analytics Workspace in Azure](). For details, see the [Tutorial: Send data to Azure Monitor Logs with Logs ingestion API](). ## Configuration The `azure-monitor()` driver sends data to the built-in tables of Azure Monitor. The body of the message (`${MESSAGE}`) must be in JSON format. The keys in the JSON array must have the same names as the columns of the table (you can use [`format-json`](../../docs/axosyslog-core/chapter-manipulating-messages/customizing-message-format/reference-template-functions/index.md#template-function-format-json) or [‘FilterX`](../../docs/axosyslog-core/filterx/index.md)). If a field is empty, or Azure cannot parse it, it will be blank. The following example sends data to the [syslog table](). ``` @include "scl.conf" # ... destination d_azure { azure-monitor( stream-name("syslog") dcr-id("my-dcr-id") dce-uri("https://dce-uri.ingest.monitor.azure.com") template("$MESSAGE") auth(tenant-id("my-tenant-id") app-id("my-app-id") app-secret("my-app-secret")) ); }; ``` This driver is actually a reusable configuration snippet configured to send log messages using the `http()` driver using a template. You can find the source of this configuration snippet on [GitHub](). ## Options The following options are specific to the `azure-monitor()` destination. But since this destination is based on the `http()` destination, you can use the [options of the `http()` destination](../../docs/axosyslog-core/chapter-destinations/configuring-destinations-http-nonjava/reference-destination-http-nonjava/index.md) as well if needed. > Note: The `azure-monitor()` destination automatically configures some of these `http()` destination options as required by the Azure Monitor Logs ingestion API. ## auth() Options for OAUTH2 authentication for Azure. To authenticate, you need to register a [Microsoft Entra application](). You’ll need the Tenant ID, App ID, and App Secret of this application to configure the AxoSyslog destination. #### app-id() | ---|--- Type: | string Default: | _Description:_ Application (client) ID of the Microsoft Entra application. #### app-secret() | ---|--- Type: | string Default: | _Description:_ The Client secret of the Microsoft Entra application. #### tenant-id() | ---|--- Type: | string Default: | _Description:_ Directory (tenant) ID of the Microsoft Entra application. ## dce-uri() | ---|--- Type: | string Default: | - _Description:_ The URI of your Data Collection Endpoint (DCE). ## dcr-id() | ---|--- Type: | string Default: | - _Description:_ The ID of the Azure Monitor Data Collection Rule (DCR) where AxoSyslog sends the data. ## table-name() This option was available in version 4.10, but has been deprecated in 4.11. Use [`stream-name()`](../../docs/axosyslog-core/chapter-destinations/azure-monitor/index.md#stream-name) instead. ## stream-name() | ---|--- Type: | string Default: | - _Description:_ The name of the table in the Log Analytics Workspace where AxoSyslog sends the data, for example, [syslog](). Last modified January 14, 2026: [Fix type keyword in frontmatter (2c54f5f)]()