Routing logs in Azure is essential for maintaining visibility, compliance, and operational efficiency across your cloud infrastructure. Azure provides several solutions for effective log routing that architects should consider. Azure Monitor serves as the central platform for collecting and routing…Routing logs in Azure is essential for maintaining visibility, compliance, and operational efficiency across your cloud infrastructure. Azure provides several solutions for effective log routing that architects should consider. Azure Monitor serves as the central platform for collecting and routing logs from various Azure resources. It captures activity logs, resource logs, and metrics, then routes them to multiple destinations based on your requirements. Diagnostic Settings are the primary mechanism for configuring log routing. You can create diagnostic settings on Azure resources to send logs to three main destinations: Log Analytics workspaces for advanced querying and analysis, Azure Storage accounts for long-term retention and archival, and Azure Event Hubs for streaming to external SIEM solutions or third-party tools. For enterprise scenarios, Azure Monitor Logs with Log Analytics provides powerful Kusto Query Language capabilities, enabling complex analysis and correlation across multiple log sources. This is ideal for operational insights and troubleshooting. When compliance requires long-term log retention, routing logs to Azure Storage with immutable blob storage ensures data integrity and meets regulatory requirements. Storage lifecycle management policies can automate tiering and deletion based on retention policies. For real-time processing and integration with external systems, Event Hubs enables streaming logs to solutions like Splunk, Datadog, or custom applications. This supports scenarios requiring low-latency log processing. Azure Policy can enforce diagnostic settings across subscriptions, ensuring consistent log routing configuration. Deploy policies that automatically configure newly created resources to send logs to designated destinations. For multi-subscription environments, consider centralizing logs in a dedicated Log Analytics workspace using Azure Lighthouse or management groups. This approach simplifies governance and provides unified visibility across the organization while maintaining proper access controls through role-based access control mechanisms.
Recommend a Solution for Routing Logs - AZ-305 Complete Guide
Why Log Routing is Important
Log routing is a critical component of any enterprise Azure architecture. It enables organizations to:
• Centralize monitoring data from multiple sources for unified analysis • Meet compliance requirements by storing logs in specific locations or formats • Optimize costs by sending different log types to appropriate destinations • Enable real-time alerting and automated responses to security threats • Support multiple teams with different log consumption needs
What is Log Routing in Azure?
Log routing refers to the process of directing diagnostic logs, metrics, and activity logs from Azure resources to one or more destinations. Azure provides several mechanisms to collect, transform, and route logs to various endpoints.
Key Components:
• Azure Monitor - The central platform for collecting and analyzing telemetry • Diagnostic Settings - Configure where resource logs are sent • Log Analytics Workspace - Primary destination for querying and analysis • Azure Event Hubs - For streaming to external SIEM solutions • Azure Storage Accounts - For long-term archival and compliance • Data Collection Rules (DCR) - Define how data is collected and transformed
Step 2: Collection Configuration Configure diagnostic settings on each resource to specify: • Which log categories to collect • Which destination(s) to send logs to • Retention policies where applicable
Step 3: Routing Destinations
Log Analytics Workspace: Best for querying with KQL, creating alerts, and dashboards Storage Account: Best for long-term retention, compliance archival, and cost-effective storage Event Hubs: Best for streaming to third-party SIEM tools like Splunk or external systems Partner Solutions: Send to integrated partner monitoring solutions
Step 4: Data Collection Rules Use DCRs for advanced scenarios: • Filter data before ingestion to reduce costs • Transform data using KQL • Route to multiple destinations with different transformations
Common Log Routing Scenarios
Scenario 1: Multi-region centralization Route all regional logs to a single Log Analytics workspace for unified monitoring
Scenario 2: Compliance archival Send logs to both Log Analytics (for analysis) and Storage Account (for 7-year retention)
Scenario 3: Third-party SIEM integration Stream security logs to Event Hubs for consumption by Splunk or other SIEM platforms
Scenario 4: Cost optimization Use DCRs to filter verbose logs and only ingest critical data to Log Analytics
Key Decision Factors
Choose Log Analytics Workspace when you need: • Real-time querying and analysis • Azure Monitor alerts and workbooks • Integration with Microsoft Sentinel
Choose Storage Account when you need: • Long-term retention beyond 2 years • Lowest cost storage option • Compliance archival requirements
Choose Event Hubs when you need: • Integration with third-party tools • Real-time streaming to external systems • Custom processing pipelines
Exam Tips: Answering Questions on Log Routing
Tip 1: Know destination strengths Questions often present scenarios requiring you to choose between Log Analytics, Storage, and Event Hubs. Remember their primary use cases.
Tip 2: Watch for cost optimization keywords If a question mentions reducing ingestion costs or filtering data, think about Data Collection Rules with transformations.
Tip 3: Compliance equals Storage Account When you see requirements for long-term retention (years) or audit compliance, Storage Account is typically part of the answer.
Tip 4: Third-party SIEM means Event Hubs Any mention of Splunk, external security tools, or streaming to non-Azure systems points to Event Hubs.
Tip 5: Multiple destinations are valid A single resource can send logs to multiple destinations simultaneously. Do not assume you must choose only one.
Tip 6: Understand diagnostic settings scope Diagnostic settings are configured per-resource. For subscription-level activity logs, use subscription diagnostic settings.
Tip 7: Consider data residency If questions mention data sovereignty or regional requirements, consider the location of your Log Analytics workspace and storage accounts.
Tip 8: Microsoft Sentinel integration When security monitoring or SIEM within Azure is mentioned, Log Analytics with Microsoft Sentinel is the appropriate solution.
Common Exam Question Patterns
• You need to retain logs for 5 years while also enabling real-time queries... → Configure diagnostic settings to send to both Log Analytics AND Storage Account
• You need to integrate with an existing Splunk deployment... → Use Event Hubs as the destination
• You need to reduce log ingestion costs while keeping important data... → Implement Data Collection Rules with filtering transformations
• You need centralized monitoring across multiple subscriptions... → Use a single Log Analytics workspace with appropriate RBAC