Azure Resource Log Configuration for Log Ingestion
Last updated - 21 October, 2025
LogicMonitor provides an Azure Resource Manager (ARM) template to automate the configuration of the Azure resources necessary for Azure log monitoring. The Azure Function and Event Hub must be configured and deployed by the template in order for the Azure Function to listen for logs from the Event Hub.
You can use the Azure Templates provided by LogicMonitor to do the following:
- Configure and deploy the Azure resources required to forward activity logs. For more information about activity logs, see Activity log in Azure Monitor from Microsoft
- Create a managed identity to access the Azure resources logs. For more information about resource logs, see Resource logs in Azure Monitor from Microsoft
- Forward the logs to the LM Logs API
This guide outlines how to configure Microsoft Azure to send logs to LM Logs, enabling ingestion of subscription-level logs such as Activity Logs and Diagnostic Logs. The integration establishes a centralized cloud log pipeline for Azure within LogicMonitor that other Azure resource types can use to forward their logs to LM Logs.
The Azure Templates deploy a resource group named lm-logs-{LM_Company_name}-{resource_group_region}-group. The group has the following resources:
- Event Hub (receives log data)
- Azure Function (processes and forwards log data to LogicMonitor)
- Storage Account (stores function app data)
- App Service plan (hosts the Azure function)
Recommendation: Azure resources you use to forward logs to LM Logs should also be monitored as LogicMonitor resources for the following reasons:
- Logs are mapped to contextually relevant devices
- Alerts, anomalies, and logs are tightly integrated
- Troubleshooting and RCA workflows are actionable and efficient
- Deviceless logs are prevented
To configure Azure resources for log ingestion, you must do the following:
- Create the Event Hub
- Deploy the Azure Function
- Create a managed identity
- Update diagnostic settings
Alternatively, you can forward logs from specific Azure resources such as virtual machines (VMs). This requires a supplemental process and must be configured within the Azure portal to forward logs to the integration’s Event Hub. VMs require additional configuration to LM because the diagnostic settings do not update through the described template deployments. To forward system and application logs from VMs, you need to install and configure diagnostic extensions on the VMs. For more information, see X.
Metadata for Azure Logs
The following table lists metadata fields for the Azure Logs integration with LM Logs. The integration extracts these fields from the log records and adds the data to the logs along with the raw message string.
| Property | Description | LM Mapping | Default |
time | The timestamp (UTC) for the event. | timestamp | Yes |
level | Severity level for the event. Must be one of “Informational”, “Warning”, “Error”, or “Critical”. | severity | Yes |
operationName | Name of the operation that this event represents. | activity_type | Yes |
resourceId | Resource ID for the resource that emitted the event. For tenant services, this is in the form /tenants/tenant-id/providers/provider-name. When deploying the Azure integration using a template, you can add this field as a metadata key parameter to look for in the log record. | azure_resource_id | No |
category | Log category for the event. Typical log categories are “Audit”, “Operational”, “Execution”, and “Request”. | category | Yes |
ResourceType | Indicates from where the Azure logs are coming from. It also indicates where the service is deployed. | ResourceType | Yes |
Requirements
To configure Azure resources for log ingestion, you need the following:
- Register your Azure environment as a cloud account in LM to enable resource discovery and log mapping. For more information, see Adding Microsoft Azure Cloud Monitoring
- LogicMonitor API tokens to authenticate all requests to the log ingestion API. For more information, see Adding an API Token
- The Azure CLI tools installed on the machines that will forward logs. For more information, see How to install the Azure CLI from Microsoft
- A User Administrator role in Azure to create the managed identity which will access the Azure resources logs. For more information, see What is managed identities for Azure resources? from Microsoft
Note: Deploy a separate Azure Function for each region you want to collect logs from. Azure resources can only send logs to an Event Hub located in the same Azure region.
Configuring Azure Resources for Log Ingestion
Follow the steps in order using the below resources to ensure proper deployment.
- Create the Event Hub
- Deploy the Azure Function
- Create a managed identity
- Update diagnostic settings
Create the Event Hub
In order to ingest logs from Azure, you must first create an Event Hub in order to receive log data. You need to navigate to the Azure portal and create both a resource group and an Event Hub namespace before you can create an Event Hub. For more information, see Quickstart: Create an event hub using Azure portal from Azure.
Once you have created an Event Hub, the next step is to deploy the Azure Function.
Deploy the Azure Function
Before deploying the Azure function, ensure that you can provide the following parameters in the template:
| Parameter | Description | Required |
Region | The location to store the deployment metadata. Predefined in Azure but you can change the value. For a list of Azure regions by their display names, see Azure geographies from Microsoft. | Yes |
resource_group_region | Enter the region where you want to create the resource group and deploy resources like Event Hub, Function app, and so on. For a list of the Azure regions in plain text, run the following command from PowerShell with the Azure CLI tools installed: az account list-locations -o table | Yes |
LM_Company_name | Your LogicMonitor company or account name in the target URL. This is only the <account> value, not the fully qualified domain name (FQDN). Example: https://<account>.logicmonitor.com | Yes |
LM_Domain_Name | The domain of your LM portal. By default, it is set to "logicmonitor.com". The supported domains for this variable are as follows:– lmgov.us– qa-lmgov.us– logicmonitor.com | Yes |
LM_Access_Id | The LM API tokens access ID. You should use an API-only user for this integration. | Yes |
LM_Access_Key | The LM API tokens access key. | Yes |
Azure_Client_Id | The Application (client) ID used while creating the Azure Cloud Account in your LogicMonitor portal. Note: This ID should have been created when you connected the Azure Cloud Account. The ID can be found in the Azure Active Directory under App Registrations. | Yes |
Enable Activity Logs | Specify whether or not to send Activity Logs to the Event Hub created with the Azure Function. Can be “Yes” (default) or “No”. | No |
Azure_Account_Name | Use this field to establish mapping between the Azure account logs and the Cloud account resource. The Azure Account name can be retrieved from the system.displayname field in the Cloud Account Info tab. | No |
LM_Bearer_Token | LM API Bearer Token. You can use both access_id and access_key, or just bearer_token. If all the parameters are provided, LMv1 token ( access_id and access_key) is used for authentication with LogicMonitor. | No |
Include_Metadata_keys | Comma separated keys to add as event metadata in a lm-log event. Specify ‘.’ for nested JSON (for example – properties.functionName,properties.message) | No |
LM Tenant Id | LogicMonitor Tenant Identifier is sent as event metadata to LogicMonitor. | No |
TLSVersionStorageAccount (TLS Version Storage Account) | Specify the TLS version for storage account in the format x_x. Example 1.2 is provided as 1_2. The default is 1_2. | Yes |
TLSVersionFunctionApp (TLS Version Function App) | Specify the TLS version for function app in the format X.X. The default is 1.3. | Yes |
- Navigate to the LogicMonitor Azure function deployment template to open the Azure template, enter the parameters, and run the deployment.
- Confirm that the deployment is successful. Logs should appear in the LM Logs page if Enabled Activity Logs is set to Yes.
If Enable Activity Logs is set to No, you need to manually configure log forwarding to the Event Hub.
These logs will be mapped to the Azure Cloud Account created in the LogicMonitor portal. If logs are not being forwarded, see Enabling Debug Logging.
Once you have deployed the Azure function, the next step is to create a managed identity.
Create a Managed Identity
Before creating a managed identity, ensure that you can provide the following parameters in the template:
| Parameter | Description | Required |
resource_group_region | The region where you created the resource group and deployed resources like the Event Hub, Function app, and so on. For a list of the Azure regions in plain text, run the following command from PowerShell with the Azure CLI tools installed: az account list-locations -o tableNote: The resource group and the resources within it must be in the same region as that of the Event Hub created when you deployed the Azure Function. | Yes |
LM_Company_name | Your LogicMonitor company or account name in the target URL. This is only the <account> value, not the fully qualified domain name (FQDN). Example: https://<account>.logicmonitor.com | Yes |
Update Diagnostic Settings
Before updating diagnostic settings, ensure that you can provide the following parameters in the template:
| Parameter | Description | Required |
Resource Group | The resource group from where you want to forward logs to the Event Hub. For a list of Azure regions by their display names, see Azure geographies from Microsoft. | Yes |
Subscription ID | The ID for the subscription which consists of all the resource groups. | Yes |
LM_Company_name | Your LogicMonitor company or account name in the target URL. This is only the <account> value, not the fully qualified domain name (FQDN). Example: https://<account>.logicmonitor.com | Yes |
Force Update Tag | Changing this value between template deployments forces the deployment script to re-execute. | No |
Deployment Location | Select the region where this deployment is configured. | Yes\ |
Navigate to the LogicMonitor Diagnostic Settings Azure template to configure resource level log forwarding to the Event Hub. This template updates the diagnostic settings of selected resources in the resource group.
Note: While this deployment is running, you can see the deployment logs in the script that gets created in the resource group. Example: “lm-logs-{LM_Company_name}-{resource_group_region}-group_script”.
If you are forwarding system and application logs from an Azure VM, you must perform an additional process. For more information, see Configuring Azure Virtual Machines for Log Ingestion below.
Configuring Azure Virtual Machines for Log Ingestion
For virtual machines (VMs), the diagnostic settings will not be updated through the described template deployments. To forward system and application logs from VMs, you need to install and configure diagnostic extensions on the VMs. The following describes how to set up the log forwarding for Linux and Windows VMs.
Sending Linux VM Logs
Do the following to forward system and application logs from Linux VMs:
- Install the diagnostic extension for Linux on the VM. For more information, see Use the Linux diagnostic extension 4.0 to monitor metrics and logs from Microsoft.
- Install the Azure CLI. For more information, see How to install the Azure CLI from Microsoft.
- Sign in to Azure using the Azure CLI.
- Download the configuration script using the following command:
wget https://raw.githubusercontent.com/logicmonitor/lm-logs-azure/master/vm-config/configure-lad.sh - Run the following configuration to create the storage account and configuration files needed by the diagnostic extension:
./configure-lad.sh <LM company name> - Update
lad_public_settings.jsonto configure types of system logs and their levels (syslogEvents) and application logs (filelogs) to collect. - Run the following command to configure the extension:
az vm extension set --publisher Microsoft.Azure.Diagnostics --name LinuxDiagnostic --version 3.0 --resource-group <your VM's Resource Group name> --vm-name <your VM name> --protected-settings lad_protected_settings.json --settings lad_public_settings.json
Note: The exact command will be printed by the configure-lad.sh script.
Sending Windows VM Logs
Do the following to forward system and application logs from Windows VMs:
- Install the diagnostic extension for Windows on the VM. For more information, see Install and configure the Azure Diagnostics extension for Windows (WAD) from Windows.
- Install the following Azure CLI using PowerShell:
Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi - Sign in to Azure using the Azure CLI:
az login - Download the configuration script using the following command:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/logicmonitor/lm-logs-azure/master/vm-config/configure-wad.ps1 -OutFile .\configure-wad.ps1 - Run the configuration to create the storage account and configuration files needed by the diagnostic extension:
.\configure-wad.ps1 -lm_company_name <LM company name> - Update
wad_public_settings.jsonto configure types of event logs (Application, System, Setup, Security, and so on) and their levels (Info, Warning, Critical) to collect. For more information, see WindowsEventLog element from Microsoft. - Run the following command to configure the extension:
az vm extension set --publisher Microsoft.Azure.Diagnostics --name IaaSDiagnostics --version 1.18 --resource-group <your VM's Resource Group name> --vm-name <your VM name> --protected-settings wad_protected_settings.json --settings wad_public_settings.json
Note: The exact command will be printed by the configure-wad.ps1 script.
Troubleshooting
Follow these steps to troubleshoot issues with your Azure logs integration.
1. Confirm that the install process provisioned all the required resources: an Event Hub, a resource group, a storage account, and an Azure Function.
2. Confirm that logs are being sent to the Event Hub:
- Navigate to your Event Hub in the Azure portal and check that the incoming messages count is greater than 0.
- You can also check this for specific agents or applications by looking in their Azure Logs folder. For example, if you are running a Windows VM with a IaaSDiagnostics extension, its logs will be in the following Azure Logs directory (with version and wadid specified):
C:\WindowsAzure\Logs\Plugins\Microsoft.Azure.Diagnostics.IaaSDiagnostics<VERSION><WADID>\Configuration
3. Confirm that the Azure Function is running and forwarding logs to LogicMonitor. For more information, see Enabling debug logging.
- If the Function App is running and receiving logs, but you are not seeing the logs in LogicMonitor, confirm that the LM_Access_Key or LM_Access_Id provided is correct.
- If the Function App is not being executed, but logs are sent to the Event Hub, try to run the Azure function locally and check if it receives any log messages:
- If the local function receives logs, stop and run the function on the Azure Portal. You can check its logs using the Azure CLI.
- If the local function does not receive logs, check its connection string and the shared access policy of the Event Hub.
4. You can use PowerShell to send a test event from the log-enabled VM. On the configured device, enter the PowerShell prompt and run the following command: eventcreate /Id 500 /D "test error event for windows" /T ERROR /L Application
After the command runs, you should see the event in the LM Logs page.
Updating Template Parameters
You may need to update the template after deployment, for example to change credentials or parameters. You can do this in the Function App configuration by navigating to Function app lm-logs-{LM_Company_name}-{resource_group_region} → configuration → edit.
Enabling Debug Logging
You can enable Application Insights in the Function App to check whether it is receiving logs. For more information, see Enable streaming execution logs.
You can configure the application logging type and level using the Azure CLI webapp log config command. Example:
az webapp log config --resource-group <Azure Function's Resource Group name> --name <Azure Function name> --application-logging true --level verbose --detailed-error-messages trueAfter configuring application logging, you can see the logs using Azure CLI webapp log tail. Example:
az webapp log tail --resource-group <Azure Function's Resource Group name> --name <Azure Function name>Removing Azure Resources
The Azure templates you ran to set up log ingestion create several resources, including the Event Hub which sends logs data to LM Logs. If needed, you can remove the LM Logs integration to stop the flow of data and associated costs.
Note: Before removing a resource group, ensure you have not added other non-LM Logs items into the group.
Do the following:
1. In your Azure portal, navigate to the monitored VM > Activity log > Diagnostic settings > Edit setting (for the Logs Event Hub) and select Delete.
2. Delete the Event Hub which has the name and region name that you created during setup. This will cut off the logs flow from Azure to LM Logs.
3. You can remove all other resources created by template deployment such as the Function App, Managed Identity, App Insight, and Storage account. The names of these will following the Event Hub naming convention from the template. You can remove each item individually, or if they are in a resource group, you can remove the entire group.
