--- title: Azure Automated Log Forwarding Setup description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Log Management > Logs Guides > Azure Automated Log Forwarding Setup --- # Azure Automated Log Forwarding Setup ## Overview{% #overview %} Use this guide to set up and manage Azure automated log forwarding. You can configure log forwarding directly in Datadog or deploy it with an Azure Resource Manager (ARM) template. The ARM template deploys resources from a series of Azure services (storage accounts and function apps) into your subscriptions, which collect and forward logs to Datadog. These services automatically scale up or down to match log volume. Scaling is managed by a control plane, which is a set of function apps deployed to a subscription and region of your choice. Storage accounts and function apps are deployed in each of the subscriptions forwarding logs to Datadog. **All sites**: Automated log forwarding is available to use on all [Datadog sites](https://docs.datadoghq.com/getting_started/site.md). ## How to choose between automated and manual setup{% #how-to-choose-between-automated-and-manual-setup %} Choose the manual setup method if you want to: - apply custom tags to your resources Use the automated setup method if you want to: - automate deployment through the Azure portal - manage your infrastructure through declarative templates - centrally control access, tags, and billing - redeploy your resources in the correct order and in a consistent way - save costs by using a storage account rather than an event hub ## Setup{% #setup %} ### Configure Log Forwarding{% #configure-log-forwarding %} Use the **Configure Log Forwarding** flow to set up new or manage existing log forwarders directly in Datadog. You can use this flow to deploy automated log forwarding from scratch or update an existing setup, such as adding or removing subscriptions or modifying log filters. 1. In Datadog, navigate to [**Integrations > Azure**](https://app.datadoghq.com/integrations/azure). 1. Click **Configure Log Forwarding**. 1. Choose to deploy a new setup or update an existing one. 1. Copy the provided command and paste it in your Azure Cloud Shell. 1. Select the subscriptions to forward logs from. 1. Optionally, add or remove log filters. 1. Click **Confirm**. ### ARM template{% #arm-template %} Alternatively, you can deploy automated log forwarding with an Azure Resource Manager (ARM) template. Open the ARM template corresponding to your Azure environment: - [Azure Public](https://portal.azure.com/#create/Microsoft.Template/uri/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2FcreateUiDefinition.json) - [Azure China](https://portal.azure.cn/#create/Microsoft.Template/uri/CustomDeploymentBlade/uri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2Fazuredeploy.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FDataDog%2Fintegrations-management%2Fmain%2Fazure%2Flogging_install%2Fdist%2FcreateUiDefinition.json) The sections below provide instructions for completing each page of the template. #### Basics{% #basics %} 1. Under **Project details**, select the management group. This is needed for the ARM template to grant permissions to the subscriptions you select for automated log forwarding. 1. Under **Instance details**, select values for: - **Region**. This is where the control plane is deployed. - **Subscriptions to Forward Logs**. These are the subscriptions to be configured for log forwarding. - **Control Plane Subscription**. This is the subscription that the control plane is deployed to. - **Resource Group Name**. This is the resource group to be used by the control plane. It is recommended to choose a new, unused resource group name to simplify management of control plane services. {% image source="https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_basics.e0363da1e0a9bf56b7099173213983e3.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_basics.e0363da1e0a9bf56b7099173213983e3.png?auto=format&fit=max&w=850&dpr=2 2x" alt="The Basics page of the ARM template for Azure automated log forwarding" /%} Click **Next**. #### Datadog configuration{% #datadog-configuration %} 1. Enter your [Datadog API key](https://app.datadoghq.com/organization-settings/api-keys) value. 1. Select your [Datadog Site](https://docs.datadoghq.com/getting_started/site.md). {% image source="https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_datadog_configuration_2025-02-18.1196aea3d5c3f22173a6ae0b08fefcb2.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure-automated-log-forwarding/deployment_datadog_configuration_2025-02-18.1196aea3d5c3f22173a6ae0b08fefcb2.png?auto=format&fit=max&w=850&dpr=2 2x" alt="The Datadog Configuration page of the ARM template for Azure automated log forwarding" /%} Click **Next**. #### Deployment{% #deployment %} 1. Click the checkbox to acknowledge the deployment warnings. 1. Click **Review + create**. #### Review + create{% #review--create %} 1. Review the finalized deployment details. 1. Click **Create**. ## Resource tag filtering{% #resource-tag-filtering %} You can use tag filters to control which Azure resources have their logs forwarded to Datadog. For tag filter syntax, wildcard support, and examples, see [Resource tag filtering](https://docs.datadoghq.com/getting_started/integrations/azure.md#resource-tag-filtering-for-logs) in the Azure getting started guide. ## Log Analytics Workspaces{% #log-analytics-workspaces %} You can forward logs from Azure Log Analytics Workspaces (LAWs) to Datadog through the automated log forwarder. Previously, Datadog only supported [diagnostic setting](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) logs from LAWs. With [data export rules](https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal), you can also forward logs from LAW Log Tables to Datadog. ### Restrictions{% #restrictions %} - You can only set up forwarding for LAW resources within the same region as the log forwarder. - You can have a maximum of 10 data export rules on a LAW. If the LAW has no remaining capacity for a Data Export Rule, delete an existing rule to make room. - Not all log tables can be exported. See Microsoft's list of [unsupported tables](https://learn.microsoft.com/azure/azure-monitor/logs/logs-data-export?tabs=portal#unsupported-tables). ### Forward logs from a Log Analytics Workspace{% #forward-logs-from-a-log-analytics-workspace %} 1. If you haven't already created an automated log forwarder, follow the Setup instructions. If you already have a log forwarder, make sure it is updated to the latest version. 1. In the [Azure Portal](https://portal.azure.com), navigate to the desired Log Analytics Workspace. 1. Under **Settings**, click **Data export**. 1. Click **New export rule**. 1. Name the rule, check **Enable upon creation**, and click **Next**. 1. Select the tables to export. You can modify this selection later by editing the data export rule. Click **Next**. 1. For **Destination type**, select **Storage Account**. Select the subscription containing your log forwarder, and choose a log forwarder storage account. These accounts typically have the prefix `ddlogstorage`. Click **Next**. 1. Review the rule and click **Create**. Logs from the LAW start appearing in Datadog within a few minutes. ### Troubleshooting{% #troubleshooting %} #### Logs are not appearing in Datadog{% #logs-are-not-appearing-in-datadog %} If you have created a data export rule but do not see logs in Datadog: 1. Verify the data export rule is enabled. 1. Verify the destination storage account is one created by the automated log forwarder (the name typically starts with `ddlogstorage`). 1. In the storage account, inspect the containers. Containers with the `am-` prefix indicate LAW exports. If you only see containers with the `insights-` prefix, the data export rule may be improperly configured. 1. Verify the LAW has collected new logs within the past two hours. See Microsoft's [data export troubleshooting FAQ](https://learn.microsoft.com/troubleshoot/azure/azure-monitor/log-analytics/workspaces/workspace-data-export-faq) for additional information. #### Selecting which logs are exported{% #selecting-which-logs-are-exported %} The data export rule allows you to specify which log tables from your Log Analytics Workspace are exported. Edit the data export rule to add or remove tables. #### Expected latency{% #expected-latency %} LAW logs typically appear in Datadog within two to five minutes, but may take up to 20 minutes to first appear. LAW logs may have different properties from non-LAW logs. ## Architecture{% #architecture %} ### Services used{% #services-used %} - [Azure Function](https://learn.microsoft.com/azure/azure-functions/) apps are used to discover resources in your Azure subscriptions, scale log forwarders, and configure diagnostic settings on the detected resources. - [Azure Container Apps](https://azure.microsoft.com/products/container-apps) are used to collect resource logs generated by diagnostic settings, track which logs have been processed already, and submit them to Datadog. - [Azure Storage Accounts](https://learn.microsoft.com/azure/storage/common/storage-account-overview) are used to store logs generated by your resources, as well as a small cache of metadata such as subscription IDs, resource IDs, and regions. ### High-level architecture{% #high-level-architecture %} {% image source="https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/high_level_architecture_06-13-2025.37a95339be3a7e4ff56898ff94445c59.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/high_level_architecture_06-13-2025.37a95339be3a7e4ff56898ff94445c59.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Architecture diagram showing three main components of Azure automated log forwarding: Control Plane and Log Forwarder (deployed by Datadog to customer environments) connecting to Azure Resources" /%} The deployment template sets up a control plane and log forwarders in your selected subscriptions. #### Control plane{% #control-plane %} The control plane is a set of Azure Function apps and a storage account for caching. One control plane is deployed in your chosen subscription and performs the following tasks: - Discovery of resources in your chosen subscriptions that are able to log through diagnostic settings. - Automatic configuration of diagnostic settings on discovered resources to flow logs into a storage account that the log forwarders are tracking. - Scaling of log forwarders in regions where your resources are located, enabling them to match log volume dynamically. #### Log forwarders{% #log-forwarders %} Log forwarders consist of an Azure Container Apps job and storage account for logs. They are deployed by the control plane in each subscription you select for log forwarding. The number of log forwarders deployed per subscription scales according to the volume of logs generated by your resources. Log forwarders perform the following tasks: - Temporarily store logs generated from your resources' diagnostic settings in a storage account. - Process the stored logs and forward them to Datadog. In Azure, a resource's diagnostic settings can only target storage accounts within the same region. As such, the forwarders are spun up in each region where resources with diagnostic settings exist. See Azure's [Diagnostic settings in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings) page for more information. ### Detailed architecture{% #detailed-architecture %} {% image source="https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/detailed_architecture.ec3afa1ad20e1525b921ba0b29a5c43c.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/logs/guide/azure_automated_logs_architecture/detailed_architecture.ec3afa1ad20e1525b921ba0b29a5c43c.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Workflow diagram showing Azure automated log forwarding: the Control Plane discovers resources, scales log forwarders across regions, configures diagnostic settings to send logs to storage accounts, and then Container Apps check for and forward new logs to Datadog Log Management." /%} ### Security and permissions{% #security-and-permissions %} The ARM template grants the control plane only the permissions needed to manage the forwarders and place diagnostic settings on your resources. To achieve this, resource groups are created and permissions are granted during the ARM template deployment. After this, you can add permissions for more subscriptions by redeploying the ARM template. #### Permissions used{% #permissions-used %} - [Monitoring Contributor](https://learn.microsoft.com/azure/azure-monitor/roles-permissions-security#monitoring-contributor) role at the **subscription** level for the selected subscriptions. - This is needed to discover resources with available diagnostic settings and enable log output to storage. - [Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/privileged#contributor) role at the **resource group** level, for the log-forwarding resource groups in the selected subscriptions. - This is needed to manage (create and delete) forwarder storage accounts and Container Apps jobs. - [Website Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/web-and-mobile#website-contributor) role at the **control plane resource group** level, for updating the control plane function apps. No information about your resources is exported. Datadog only requests the information required to enable log output, and the only output of this architecture is the logs sent to Datadog. **Note**: Optionally, you can enable the control plane to submit its own health metrics, logs, and events to Datadog for debugging purposes. To do this, set the environment variable `DD_TELEMETRY=true` on any Function App or Container App in the control plane. ## Log archiving{% #log-archiving %} Archiving logs to Azure Blob Storage requires an App Registration. If you haven't already, follow the [automatic](https://docs.datadoghq.com/logs/guide/azure-automated-log-forwarding.md) or [manual](https://docs.datadoghq.com/logs/guide/azure-manual-log-forwarding.md) setup instructions to configure the integration using an App Registration. App Registrations created for archiving purposes do not need the `Monitoring Reader` role. After configuring an App Registration, [create a log archive](https://docs.datadoghq.com/logs/log_configuration/archives.md?tab=azurestorage#configure-an-archive) that writes to Azure Blob Storage. **Note**: If your storage bucket is in a subscription being monitored through the Azure Native integration, a redundancy warning appears in the Azure integration tile. This warning can be safely ignored for log archiving. ## Uninstall{% #uninstall %} Begin by opening an [Azure Cloud Shell](https://learn.microsoft.com/en-us/azure/cloud-shell/overview), and ensure it is running in Azure CLI/Bash, not PowerShell. Download and run the uninstall script: ```bash wget https://ddazurelfo.blob.core.windows.net/uninstall/uninstall.py python uninstall.py ``` The script first discovers any instances running in each subscription, then prompts you to select the instance(s) to uninstall. Confirm the resource deletions, and wait for the resources to be deleted. ## Further reading{% #further-reading %} - [Best practices for monitoring Microsoft Azure platform logs](https://www.datadoghq.com/blog/monitoring-azure-platform-logs/)