--- title: Azure Automated Log Forwarding Setup description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Log Management > Logs Guides > Azure Automated Log Forwarding Setup --- # Azure Automated Log Forwarding Setup ## Overview{% #overview %} Use this guide to automate your Azure log forwarding setup with an Azure Resource Manager (ARM) template. The ARM template deploys resources from a series of Azure services (storage accounts and function apps) into your subscriptions, which collect and forward logs to Datadog. These services automatically scale up or down to match log volume. Scaling is managed by a control plane, which is a set of function apps deployed to a subscription and region of your choice. Storage accounts and function apps are deployed in each of the subscriptions forwarding logs to Datadog. **All sites**: Automated log forwarding is available to use on all [Datadog sites](https://docs.datadoghq.com/getting_started/site.md). ## How to choose between automated and manual setup{% #how-to-choose-between-automated-and-manual-setup %} Choose the manual setup method if you want to: - apply custom tags to your resources Use the automated setup method if you want to: - automate deployment through the Azure portal - manage your infrastructure through declarative templates - centrally control access, tags, and billing - redeploy your resources in the correct order and in a consistent way - save costs by using a storage account rather than an event hub ## Setup{% #setup %} Begin by opening the Azure Log Forwarding ARM template corresponding to your Azure environment, or by clicking **+ Add Log Collection** in the [Azure integration tile](https://app.datadoghq.com/integrations/azure/add?config_azure-new-onboarding=true). - [Azure Public](https://portal.azure.com/#create/Microsoft.Template/uri/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2FcreateUiDefinition.json) - [Azure Government](https://portal.azure.us/#create/Microsoft.Template/uri/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2FcreateUiDefinition.json) - [Azure China](https://portal.azure.cn/#create/Microsoft.Template/uri/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2FcreateUiDefinition.json) The sections below provide instructions for completing each page of the template. ### Basics{% #basics %} 1. Under **Project details**, select the management group. This is needed for the ARM template to grant permissions to the subscriptions you select for automated log forwarding. 1. Under **Instance details**, select values for: - **Region**. This is where the control plane is deployed. - **Subscriptions to Forward Logs**. These are the subscriptions to be configured for log forwarding. - **Control Plane Subscription**. This is the subscription that the control plane is deployed to. - **Resource Group Name**. This is the resource group to be used by the control plane. It is recommended to choose a new, unused resource group name to simplify management of control plane services. {% image source="https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_basics.e0363da1e0a9bf56b7099173213983e3.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_basics.e0363da1e0a9bf56b7099173213983e3.png?auto=format&fit=max&w=850&dpr=2 2x" alt="The Basics page of the ARM template for Azure automated log forwarding" /%} Click **Next**. ### Datadog configuration{% #datadog-configuration %} 1. Enter your [Datadog API key](https://app.datadoghq.com/organization-settings/api-keys) value. 1. Select your [Datadog Site](https://docs.datadoghq.com/getting_started/site.md). {% image source="https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_datadog_configuration_2025-02-18.1196aea3d5c3f22173a6ae0b08fefcb2.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_datadog_configuration_2025-02-18.1196aea3d5c3f22173a6ae0b08fefcb2.png?auto=format&fit=max&w=850&dpr=2 2x" alt="The Datadog Configuration page of the ARM template for Azure automated log forwarding" /%} Click **Next**. ### Deployment{% #deployment %} 1. Click the checkbox to acknowledge the deployment warnings. 1. Click **Review + create**. ### Review + create{% #review--create %} 1. Review the finalized deployment details. 1. Click **Create**. ## Architecture{% #architecture %} ### Services used{% #services-used %} - [Azure Function](https://learn.microsoft.com/azure/azure-functions/) apps are used to discover resources in your Azure subscriptions, scale log forwarders, and configure diagnostic settings on the detected resources. - [Azure Container Apps](https://azure.microsoft.com/products/container-apps) are used to collect resource logs generated by diagnostic settings, track which logs have been processed already, and submit them to Datadog. - [Azure Storage Accounts](https://learn.microsoft.com/azure/storage/common/storage-account-overview) are used to store logs generated by your resources, as well as a small cache of metadata such as subscription IDs, resource IDs, and regions. ### High-level architecture{% #high-level-architecture %} {% image source="https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/high_level_architecture_06-13-2025.37a95339be3a7e4ff56898ff94445c59.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/high_level_architecture_06-13-2025.37a95339be3a7e4ff56898ff94445c59.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Architecture diagram showing three main components of Azure automated log forwarding: Control Plane and Log Forwarder (deployed by Datadog to customer environments) connecting to Azure Resources" /%} The deployment template sets up a control plane and log forwarders in your selected subscriptions. #### Control plane{% #control-plane %} The control plane is a set of Azure Function apps and a storage account for caching. One control plane is deployed in your chosen subscription and performs the following tasks: - Discovery of resources in your chosen subscriptions that are able to log through diagnostic settings. - Automatic configuration of diagnostic settings on discovered resources to flow logs into a storage account that the log forwarders are tracking. - Scaling of log forwarders in regions where your resources are located, enabling them to match log volume dynamically. #### Log forwarders{% #log-forwarders %} Log forwarders consist of an Azure Container Apps job and storage account for logs. They are deployed by the control plane in each subscription you select for log forwarding. The number of log forwarders deployed per subscription scales according to the volume of logs generated by your resources. Log forwarders perform the following tasks: - Temporarily store logs generated from your resources' diagnostic settings in a storage account. - Process the stored logs and forward them to Datadog. In Azure, a resource's diagnostic settings can only target storage accounts within the same region. As such, the forwarders are spun up in each region where resources with diagnostic settings exist. See Azure's [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) page for more information. ### Detailed architecture{% #detailed-architecture %} {% image source="https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/detailed_architecture.ec3afa1ad20e1525b921ba0b29a5c43c.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/detailed_architecture.ec3afa1ad20e1525b921ba0b29a5c43c.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Workflow diagram showing Azure automated log forwarding: the Control Plane discovers resources, scales log forwarders across regions, configures diagnostic settings to send logs to storage accounts, and then Container Apps check for and forward new logs to Datadog Log Management." /%} ### Security and permissions{% #security-and-permissions %} The ARM template grants the control plane only the permissions needed to manage the forwarders and place diagnostic settings on your resources. To achieve this, resource groups are created and permissions are granted during the ARM template deployment. After this, you can add permissions for more subscriptions by redeploying the ARM template. #### Permissions used{% #permissions-used %} - [Monitoring Contributor](https://learn.microsoft.com/azure/azure-monitor/roles-permissions-security#monitoring-contributor) role at the **subscription** level for the selected subscriptions. - This is needed to discover resources with available diagnostic settings and enable log output to storage. - [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/privileged#contributor) role at the **resource group** level, for the log-forwarding resource groups in the selected subscriptions. - This is needed to manage (create and delete) forwarder storage accounts and Container Apps jobs. - [Website Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/web-and-mobile#website-contributor) role at the **control plane resource group** level, for updating the control plane function apps. No information about your resources is exported. Datadog only requests the information required to enable log output, and the only output of this architecture is the logs sent to Datadog. **Note**: Optionally, you can enable the control plane to submit its own health metrics, logs, and events to Datadog for debugging purposes. To do this, set the environment variable `DD_TELEMETRY=true` on any Function App or Container App in the control plane. ## Log archiving{% #log-archiving %} Archiving logs to Azure Blob Storage requires an App Registration. If you haven't already, follow the [automatic](https://docs.datadoghq.com/logs/guide/azure-automated-log-forwarding.md) or [manual](https://docs.datadoghq.com/logs/guide/azure-manual-log-forwarding.md) setup instructions to configure the integration using an App Registration. App Registrations created for archiving purposes do not need the `Monitoring Reader` role. After configuring an App Registration, [create a log archive](https://docs.datadoghq.com/logs/log_configuration/archives.md?tab=azurestorage#configure-an-archive) that writes to Azure Blob Storage. **Note**: If your storage bucket is in a subscription being monitored through the Azure Native integration, a redundancy warning appears in the Azure integration tile. This warning can be safely ignored for log archiving. ## Uninstall{% #uninstall %} Begin by opening an [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/overview), and ensure it is running in Azure CLI/Bash, not PowerShell. Download and run the uninstall script: ```bash wget https://ddazurelfo.blob.core.windows.net/uninstall/uninstall.py python uninstall.py ``` The script first discovers any instances running in each subscription, then prompts you to select the instance(s) to uninstall. Confirm the resource deletions, and wait for the resources to be deleted. ## Further reading{% #further-reading %} - [Best practices for monitoring Microsoft Azure platform logs](https://www.datadoghq.com/blog/monitoring-azure-platform-logs/)