Send data to Azure Monitor and Sentinel
Starting with version 4.10.0, AxoSyslog can send data to Azure Monitor using its HTTP REST Logs ingestion API. Data sent to Azure Monitor’s Log Analytics is also available from Microsoft Sentinel.
Prerequisites
- An Azure subscription.
- A Microsoft Entra application. You’ll need the Tenant ID, App ID, and App Secret of the application to configure the AxoSyslog destination.
- A Data Collection Endpoint (DCE)
- A Data Collection Rule (DCR)
- A Log Analytics Workspace in Azure.
- To send logs to a custom table with the
azure-monitor-custom()destination, create the table in the Log Analytics Workspace.
For details, see the Tutorial: Send data to Azure Monitor Logs with Logs ingestion API.
Configuration
To configure AxoSyslog, you’ll need the name of the table and and the topic where you want to send your data.
The body of the message (${MESSAGE}) must be in JSON format. The keys in the JSON array must have the same names as the columns of the table (you can use format-json or ‘FilterX`). If a field is empty, or Azure cannot parse it, it will be blank.
-
The
azure-monitor-builtin()driver sends data to the built-in tables of Azure Monitor, for example, the syslog table.destination d_azure_builtin { azure-monitor-builtin( table_name("syslog") dcr-id("my-dcr-id") dce-uri("https://dce-uri.ingest.monitor.azure.com") template("$MESSAGE") auth(tenant-id("my-tenant-id") app-id("my-app-id") app-secret("my-app-secret")) ); }; -
To send data into custom tables, use the
azure-monitor-custom()driver. For example:destination d_azure_custom { azure-monitor-custom( table-name("my-table") dcr-id("my-dcr-id") dce-uri("https://dce-uri.ingest.monitor.azure.com") auth(tenant-id("my-tenant-id") app-id("my-app-id") app-secret("my-app-secret")) ); };Note The name of Azure Monitor custom tables ends with_CL(Custom Logs), but AxoSyslog adds this automatically, so in your AxoSyslog configuration use the table name without the_CLsuffix.
This driver is actually a reusable configuration snippet configured to send log messages using the http() driver using a template. You can find the source of this configuration snippet on GitHub.
Options
The following options are specific to the azure-monitor-custom() destination. But since this destination is based on the http() destination, you can use the options of the http() destination as well if needed.
Note: The
azure-monitor-custom()destination automatically configures some of thesehttp()destination options as required by the Azure Monitor Logs ingestion API.
auth()
Options for OAUTH2 authentication for Azure.
To authenticate, you need to register a Microsoft Entra application. You’ll need the Tenant ID, App ID, and App Secret of this application to configure the AxoSyslog destination.
app-id()
| Type: | string |
| Default: |
Description: Application (client) ID of the Microsoft Entra application.
app-secret()
| Type: | string |
| Default: |
Description: The Client secret of the Microsoft Entra application.
tenant-id()
| Type: | string |
| Default: |
Description: Directory (tenant) ID of the Microsoft Entra application.
dce-uri()
| Type: | string |
| Default: | - |
Description: The URI of your Data Collection Endpoint (DCE).
dcr-id()
| Type: | string |
| Default: | - |
Description: The ID of the Azure Monitor Data Collection Rule (DCR) where AxoSyslog sends the data.
table-name()
| Type: | string |
| Default: | - |
Description: A custom table in the Log Analytics Workspace where AxoSyslog sends the data.
_CL (Custom Logs), but AxoSyslog adds this automatically, so in your AxoSyslog configuration use the table name without the _CL suffix.