|
| 1 | +--- |
| 2 | +title: Centralized Configuration of Activity Logs to Event Hub |
| 3 | +description: Step-by-step guidance on how to set up Azure Activity Logs to be centrally exported to a single Event Hub. |
| 4 | +ms.date: 07/17/2025 |
| 5 | +ms.reviewer: v-liuamson; v-gsitser |
| 6 | +ms.service: azure-monitor |
| 7 | +ms.custom: I can’t configure export of Activity Logs |
| 8 | +--- |
| 9 | + |
| 10 | +# Centralized Configuration of Activity Logs to Event Hub |
| 11 | + |
| 12 | +## Introduction |
| 13 | + |
| 14 | +This article provides guidance on setting up Azure Activity Logs to be centrally exported to a single Event Hub. This setup is useful for organizations looking to streamline log management across multiple Azure subscriptions and forward logs to third-party SIEM solutions. |
| 15 | + |
| 16 | +Organizations often require a centralized approach to manage Activity Logs across numerous subscriptions. This guide outlines the steps to configure Azure Policies to automate the streaming of these logs to a specified Event Hub, addressing common challenges and considerations. |
| 17 | + |
| 18 | +## Step-by-Step Instructions to Configure Activity Logs |
| 19 | + |
| 20 | +### 1. Create an Azure Policy for Activity Logs |
| 21 | + |
| 22 | +- Navigate to the Azure portal and access the **Azure Policy** service. |
| 23 | +- Create a new policy definition using the JSON provided in the community example. This policy should automate the enablement of activity log diagnostics settings across all subscriptions under a management group. |
| 24 | + |
| 25 | +### 2. Assign the Policy to Management Group |
| 26 | + |
| 27 | +- Assign the newly created policy to the desired management group containing the required subscriptions. |
| 28 | +- Ensure that the policy is set to send data to the specified Event Hub. |
| 29 | + |
| 30 | +### 3. Configure Log Analytics Workspace |
| 31 | + |
| 32 | +- Access the **Log Analytics Workspace** in the Azure portal. |
| 33 | +- Set up data export rules to forward logs from the Log Analytics Workspace to the Event Hub. Specify the source table as `AzureActivity` and the destination as the central Event Hub. |
| 34 | + |
| 35 | +### 4. Verify Event Hub Configuration |
| 36 | + |
| 37 | +- Ensure the Event Hub is configured to handle the expected log volume from all subscriptions. |
| 38 | +- Review performance benchmarks and adjust the Event Hub tier if necessary to manage logs efficiently. |
| 39 | + |
| 40 | +### 5. Monitor and Adjust |
| 41 | + |
| 42 | +- Regularly monitor the Event Hub's performance and log flow. |
| 43 | +- Adjust configurations as needed to optimize performance and cost. |
| 44 | + |
| 45 | +## Common Issues and Solutions |
| 46 | + |
| 47 | +- **Performance Concerns:** If the Event Hub struggles with the log volume, consider upgrading the tier or distributing logs across multiple hubs. |
| 48 | +- **Policy Limitations:** Azure Policy may require manual steps for each subscription. Ensure all configurations are correctly applied. |
| 49 | + |
| 50 | +## Reference |
| 51 | + |
| 52 | +- [Azure Policy Assignment to Enable Activity Log on Subscription](https://learn.microsoft.com/azure/policy-assignment-to-enable-activity-log-on-subscription) |
| 53 | +- [Azure Event Hubs Overview](https://learn.microsoft.com/azure/event-hubs/event-hubs-about) |
| 54 | + |
| 55 | +If the issue persists after following the solution steps, please open a support case for further assistance. |
0 commit comments