---
title: "Collect Azure Logs with Azure Functions | Grafana Cloud documentation"
description: "How to collect Azure logs with Azure Functions"
---

# Collect Azure Logs with Azure Functions

We provide an [Azure Function](https://github.com/grafana/azure_eventhub_to_loki/) that subscribes to an event hub and sends all events to a Loki endpoint. The function can be managed as code as well, so you can get started quickly, focusing less on setup and more on getting insights from your logs. You can, for instance, use this functionality to monitor Kubernetes events for security breaches by applying [Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs).

The following diagram illustrates the serverless option for exporting Azure logs:

[](/media/blog/azure-serverless/logs-serverless-workflow.png)

Complete the following steps to configure the [`azure_eventhub_to_loki`](https://github.com/grafana/azure_eventhub_to_loki) Azure Function to send your resource and activity log messages to Grafana Cloud, enabling you to generate alerts and visualize issues in your workloads on Azure.

## Before you begin

To complete the configuration successfully, you need:

- Grafana Target endpoint URL: The correct endpoint for your Grafana Cloud instance
- Grafana Loki User: The numeric value of the **User**
- `azure_eventhub_to_loki` version: The latest version number of the Azure Function found on the [`azure_eventhub_to_loki` GitHub repository](https://github.com/grafana/azure_eventhub_to_loki).

To obtain the Grafana Target endpoint URL and Grafana Loki User, perform the following steps.

1. Navigate to your [Grafana Cloud Portal](/docs/grafana-cloud/account-management/cloud-portal/).
2. Select your Grafana Cloud stack.
3. Locate the Loki tile, and click **Details**.
   
   [](/media/docs/grafana-cloud/aws/screenshot-loki-details-button.png)
4. Copy and save the values in the **URL** field (which is the target endpoint) and in the **User** field for use in future steps.
   
   [](/media/docs/grafana-cloud/aws/screenshot-datasource-settings.png)

## Configure Grafana Cloud Authentication

Successfully sending logs from the Azure Function requires an [access policy](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/create-access-policies/#create-access-policies-and-tokens) with an associated [token](/docs/grafana-cloud/security-and-account-management/authentication-and-permissions/access-policies/using-an-access-policy-token/). This policy and token allows Grafana Cloud to:

- Authenticate the request
- Ensure the request is authorized to write logs to the account

Complete the following to create an access policy and generate a token:

1. At your Grafana Cloud stack, from the main menu under **SECURITY**, click **Access Policies**.
   
   [](/media/docs/grafana-cloud/aws/screenshot-security-menu.png)
2. Click **Create access policy**.
3. In the **Display name** box, create a display name to appear in the access policies list.
   
   [](/media/docs/grafana-cloud/azure/access-policy-name.png)
4. In the **Realms** box, select the first option *your\_org\_name (all stacks)*.
5. In the **Scopes** section, for logs select **Write** to allow logs to write to your account.
   
   [](/media/docs/grafana-cloud/azure/access-policy-scopes.png)
6. Click **Create** to create the access policy.
7. In the access policy you just created, click **Add token** to create a token for the Azure Function.
   
   [](/media/docs/grafana-cloud/azure/add-token.png)
8. Enter a name for the token, and click **Create**.
9. Click **Copy to clipboard**, and save the new token. In a future step, you replace ‘&lt;Grafana\_Logs\_Write\_Access\_token&gt;’ with this token.

## Configure Azure

You can deploy the \[`azure_eventhub_to_loki`] Function to an existing Azure resource group by using the [Azure ARM template](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) available in the repository.

The ARM template provisions the following items:

1. An Azure Event Hub to receive resource and activity log messages
2. An Azure Storage Account for the Function app
3. An Azure Function App to read the messages from the Event Hub, and deliver them to Grafana Cloud

### Create deployment with Azure CLI

1. Log in to your Azure account, with the following command:
   
   shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
   
   ```shell
   az login
   ```
2. Set the Azure CLI to the subscription for the deployment, using the following command, after adding the correct Azure Subscription ID:
   
   shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
   
   ```shell
   az account set --subscription @@@Azure_Subscription_ID@@@
   ```
3. Optionally, create a resource group for the deployment, using the following command, after adding the correct Azure Resource Group name and Azure location:
   
   shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
   
   ```shell
   az group create --name @@@Azure_Resource_Group_name@@@ --location @@@Azure_location@@@
   ```
4. Apply the ARM Template, using the following command, after updating the following items:
   
   - Azure Resource Group name
   - Azure Deployment name
   - `azure_eventhub_to_loki` VERSION number
   - Grafana Target endpoint URL
   - Grafana Loki User
   - Grafana Logs Write Access token
   
   shell ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy
   
   ```shell
   az deployment group create --resource-group @@@Azure_Resource_Group_name@@@ --name @@@Azure_Deployment_name@@@ \
   --template-uri https://raw.githubusercontent.com/grafana/azure_eventhub_to_loki/refs/tags/@@@azure_eventhub_to_loki-VERSION@@@/azdeploy.json \
   --parameters packageUri=https://github.com/grafana/azure_eventhub_to_loki/releases/download/@@@azure_eventhub_to_loki-VERSION@@@/logexport.@@@azure_eventhub_to_loki-VERSION@@@.zip \
   --parameters lokiEndpoint='@@@Grafana_Target_endpoint_URL@@@' \
   --parameters lokiUsername='@@@Grafana_Loki_User@@@' \
   --parameters lokiPassword='@@@Grafana_Logs_Write_Access_token@@@'
   ```

### Create deployment with Terraform

Terraform can also consume the ARM template by using the following snippet, after you have updated the following items:

- `azure_eventhub_to_loki` VERSION number
- Azure Resource group name
- Azure location
- Grafana Target endpoint URL
- Grafana Loki User
- Grafana Logs Write Access token

hcl ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```hcl
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

provider "azurerm" {
  features {
  }
}

data "http" "template" {
  url = "https://raw.githubusercontent.com/grafana/azure_eventhub_to_loki/refs/tags/@@@azure_eventhub_to_loki-VERSION@@@/azdeploy.json"

  lifecycle {
    postcondition {
      condition     = self.status_code == 200
      error_message = "Unsuccessful status code attempting to download template"
    }
  }
}

resource "azurerm_resource_group" "logexport" {
  name     = "@@@Azure_Resource_Group_name@@@"
  location = "@@@Azure_location@@@"
}

resource "azurerm_resource_group_template_deployment" "logexport" {
  name                = "${azurerm_resource_group.logexport.name}-deploy"
  resource_group_name = azurerm_resource_group.logexport.name
  deployment_mode     = "Complete"
  template_content    = data.http.template.response_body

  parameters_content = jsonencode({
    "lokiEndpoint" = {
      value = "@@@Grafana_Target_endpoint_URL@@@"
    }
    "lokiUsername" = {
      value = "@@@Grafana_Loki_User@@@"
    }
    "lokiPassword" = {
      value = "@@@Grafana_Logs_Write_Access_token@@@"
    }
    "packageUri" = {
      value = "https://github.com/grafana/azure_eventhub_to_loki/releases/download/@@@azure_eventhub_to_loki-VERSION@@@/logexport.@@@azure_eventhub_to_loki-VERSION@@@.zip"
    }
  })
}
```

### Configure your resources to route logs to Event Hub

To set up a [diagnostic settings](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/create-diagnostic-settings?tabs=portal) configuration for one or more resources that route logs to the newly created Event Hub, complete the following steps in the Azure portal.

1. Navigate to Azure Monitor.
2. Under **Settings**, click **Diagnostic settings**.
3. Click the resource you would like to obtain logs from.
4. Click **+ Add diagnostic setting** to add a new diagnostic setting.
5. Under **Logs** / **Categories**, select any options for logs you would like.
6. Under **Destination details**, select **Stream to an event hub** as the destination, choose the event hub namespace,and the event hub name you created in the previous section.
7. Click **Save** to save your diagnostic setting. Your resource begins sending logs to the specified event hub.

## View your logs

Navigate to the Azure Logs view in Cloud Provider Observability to see your logs.

1. Open your Grafana Instance.
2. Click **Cloud Provider** in the main navigation.
3. Click **Azure**.
4. Click the **Logs** tab.

Any logs sent to the Event Hub appear here with minimal delay.