Merge pull request #297299 from v-lanjunli/seventhub

new doc how-to-use-certsp-emit-log-to-eventhub

Author: v-ccolin

articles/synapse-analytics/spark/apache-spark-azure-log-analytics.md

@@ -57,11 +57,12 @@ spark.synapse.diagnostic.emitter.LA.secret: <LOG_ANALYTICS_WORKSPACE_KEY>
 #### Option 2: Configure with Azure Key Vault
 
 > [!NOTE]
-> You need to grant read secret permission to the users who will submit Apache Spark applications. For more information, see [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](/azure/key-vault/general/rbac-guide). When you enable this feature in a Synapse pipeline, you need to use **Option 3**. This is necessary to obtain the secret from Azure Key Vault with workspace managed identity.
+> You need to grant read secret permission to the users who submit Apache Spark applications. For more information, see [Provide access to Key Vault keys, certificates, and secrets with an Azure role-based access control](/azure/key-vault/general/rbac-guide). When you enable this feature in a Synapse pipeline, you need to use **Option 3**. This is necessary to obtain the secret from Azure Key Vault with workspace managed identity.
 
 To configure Azure Key Vault to store the workspace key, follow these steps:
 
 1. Create and go to your key vault in the Azure portal.
+1. Grant the right permission to the users or workspace managed identities.
 1. On the settings page for the key vault, select **Secrets**.
 1. Select **Generate/Import**.
 1. On the **Create a secret** screen, choose the following values:
@@ -145,7 +146,7 @@ You can create an Apache Spark Configuration to your workspace, and when you cre
    1. Select **New** button to create a new Apache Spark configuration.
    1. **New Apache Spark configuration** page will be opened after you select **New** button.
 
-      :::image type="content" source="./media/apache-spark-azure-log-analytics/create-spark-configuration.png" alt-text="Screenshot that create spark configuration.":::
+      :::image type="content" source="./media/apache-spark-azure-log-analytics/create-spark-configuration.png" alt-text="Screenshot that creates Spark configuration.":::
 
    1. For **Name**, you can enter your preferred and valid name.
    1. For **Description**, you can input some description in it.
@@ -276,7 +277,7 @@ You can follow below steps to create a managed private endpoint connection to Az
 1. Navigate to your AMPLS in Azure portal again, on the **Private Endpoint connections** page, select the connection provisioned and **Approve**.
 
 > [!NOTE]
->  - The AMPLS object has a number of limits you should consider when planning your Private Link setup. See [AMPLS limits](/azure/azure-monitor/logs/private-link-security) for a deeper review of these limits. 
+>  - The AMPLS object has many limits you should consider when planning your Private Link setup. See [AMPLS limits](/azure/azure-monitor/logs/private-link-security) for a deeper review of these limits. 
 >  - Check if you have [right permission](../security/synapse-workspace-access-control-overview.md) to create managed private endpoint.
 
 ## Available configurations
@@ -287,10 +288,10 @@ You can follow below steps to create a managed private endpoint connection to Az
 | `spark.synapse.diagnostic.emitter.<destination>.type`                       | Required. Built-in destination type. To enable Azure Log Analytics destination, AzureLogAnalytics needs to be included in this field.|
 | `spark.synapse.diagnostic.emitter.<destination>.categories`                 | Optional. The comma-separated selected log categories. Available values include `DriverLog`, `ExecutorLog`, `EventLog`, `Metrics`. If not set, the default value is **all** categories. |
 | `spark.synapse.diagnostic.emitter.<destination>.workspaceId`                       | Required. To enable Azure Log Analytics destination, workspaceId needs to be included in this field. |
-| `spark.synapse.diagnostic.emitter.<destination>.secret`                        | Optional. The secret (Log Aanalytics key) content.  To find this, in the Azure portal, go to Azure Log Analytics workspace > Agents > Primary key. |
+| `spark.synapse.diagnostic.emitter.<destination>.secret`                        | Optional. The secret (Log Analytics key) content.  To find this, in the Azure portal, go to Azure Log Analytics workspace > Agents > Primary key. |
 | `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault`            | Required if `.secret` is not specified. The [Azure Key vault](/azure/key-vault/general/overview) name where the secret (AccessKey or SAS) is stored. |
 | `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.secretName` | Required if `.secret.keyVault` is specified. The Azure Key vault secret name where the secret is stored. |
-| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.linkedService` | Optional. The Azure Key vault linked service name. When enabled in Synapse pipeline, this is necessary to obtain the secret from AKV. (Please make sure MSI has read permission on the AKV). |
+| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.linkedService` | Optional. The Azure Key vault linked service name. When enabled in Synapse pipeline, this is necessary to obtain the secret from Azure Key vault. (Make sure the MSI has read access to the Azure Key vault). |
 | `spark.synapse.diagnostic.emitter.<destination>.filter.eventName.match`     | Optional. The comma-separated Log4j logger names, you can specify which logs to collect. For example `SparkListenerApplicationStart,SparkListenerApplicationEnd` |
 | `spark.synapse.diagnostic.emitter.<destination>.filter.loggerName.match`    | Optional. The comma-separated log4j logger names, you can specify which logs to collect. For example: `org.apache.spark.SparkContext,org.example.Logger` |
 | `spark.synapse.diagnostic.emitter.<destination>.filter.metricName.match`    | Optional. The comma-separated spark metric name suffixes, you can specify which metrics to collect. For example:`jvm.heap.used` |

articles/synapse-analytics/spark/azure-synapse-diagnostic-emitters-azure-eventhub.md

@@ -1,6 +1,6 @@
 ---
 title: Collect your Apache Spark applications logs and metrics using Azure Event Hubs 
-description: In this tutorial, you learn how to use the Synapse Apache Spark diagnostic emitter extension to emit Apache Spark applications’ logs, event logs and metrics to your Azure Event Hubs.
+description: In this tutorial, you learn how to use the Synapse Apache Spark diagnostic emitter extension to emit Apache Spark applications' logs, event logs, and metrics to your Azure Event Hubs.
 author: hrasheed-msft
 ms.author: jejiang
 
@@ -14,7 +14,7 @@ ms.date: 08/31/2021
 
 The Synapse Apache Spark diagnostic emitter extension is a library that enables the Apache Spark application to emit the logs, event logs, and metrics to one or more destinations, including Azure Log Analytics, Azure Storage, and Azure Event Hubs. 
 
-In this tutorial, you learn how to use the Synapse Apache Spark diagnostic emitter extension to emit Apache Spark applications’ logs, event logs, and metrics to your Azure Event Hubs.
+In this tutorial, you learn how to use the Synapse Apache Spark diagnostic emitter extension to emit Apache Spark applications' logs, event logs, and metrics to your Azure Event Hubs.
 
 ## Collect logs and metrics to Azure Event Hubs
 
@@ -35,7 +35,7 @@ spark.synapse.diagnostic.emitter.MyDestination1.secret <connection-string>
 ```
 
 Fill in the following parameters in the configuration file: `<connection-string>`.
-For more description of the parameters, you can refer to [Azure Event Hubs configurations](#available-configurations).
+For more descriptions of the parameters, you can refer to [Azure Event Hubs configurations](#available-configurations).
 
 ### Step 3: Upload the Apache Spark configuration file to Apache Spark pool
 
@@ -51,21 +51,21 @@ For more description of the parameters, you can refer to [Azure Event Hubs confi
 | `spark.synapse.diagnostic.emitter.<destination>.type`                       | Required. Built-in destination type. To enable Azure Event Hubs destination, the value should be `AzureEventHub`.                                                                                    |
 | `spark.synapse.diagnostic.emitter.<destination>.categories`                 | Optional. The comma-separated selected log categories. Available values include `DriverLog`, `ExecutorLog`, `EventLog`, `Metrics`. If not set, the default value is **all** categories.              |
 | `spark.synapse.diagnostic.emitter.<destination>.secret`                     | Optional. The Azure Event Hubs instance connection string. This field should match this pattern `Endpoint=sb://<FQDN>/;SharedAccessKeyName=<KeyName>;SharedAccessKey=<KeyValue>;EntityPath=<PathName>` |
-| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault`            | Required if `.secret` is not specified. The [Azure Key vault](/azure/key-vault/general/overview) name where the secret (connection string) is stored.                                                                  |
+| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault`            | Required if `.secret` isn't specified. The [Azure Key vault](/azure/key-vault/general/overview) (AKV) name where the secret (connection string) is stored.                                                                  |
 | `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.secretName` | Required if `.secret.keyVault` is specified. The Azure Key vault secret name where the secret (connection string) is stored.                                                                         |
-| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.linkedService` | Optional. The Azure Key vault linked service name. When enabled in Synapse pipeline, this is necessary to obtain the secret from AKV. (Please make sure MSI has read permission on the AKV). |
+| `spark.synapse.diagnostic.emitter.<destination>.secret.keyVault.linkedService` | Optional. The Azure Key vault linked service name. When enabled in Synapse pipeline, this is required to obtain the secret from AKV. (Make sure managed service identity (MSI) has read permission on the AKV). |
 | `spark.synapse.diagnostic.emitter.<destination>.filter.eventName.match`     | Optional. The comma-separated spark event names, you can specify which events to collect. For example: `SparkListenerApplicationStart,SparkListenerApplicationEnd` |
-| `spark.synapse.diagnostic.emitter.<destination>.filter.loggerName.match`    | Optional. The comma-separated log4j logger names, you can specify which logs to collect. For example: `org.apache.spark.SparkContext,org.example.Logger` |
+| `spark.synapse.diagnostic.emitter.<destination>.filter.loggerName.match`    | Optional. The comma-separated Log4j logger names, you can specify which logs to collect. For example: `org.apache.spark.SparkContext,org.example.Logger` |
 | `spark.synapse.diagnostic.emitter.<destination>.filter.metricName.match`    | Optional. The comma-separated spark metric name suffixes, you can specify which metrics to collect. For example: `jvm.heap.used` |
 
 
 > [!NOTE]
 >
-> The Azure Eventhub instance connection string should always contains the `EntityPath`, which is the name of the Azure Event Hubs instance.
+> The Azure Event Hubs instance connection string should always contain `EntityPath`, which is the name of the Azure Event Hubs instance.
 
 ## Log data sample
 
-Here is a sample log record in JSON format:
+Here's a sample log record in JSON format:
 
 ```json
 {
@@ -91,8 +91,4 @@ Here is a sample log record in JSON format:
 
 ## Synapse workspace with data exfiltration protection enabled
 
-Azure Synapse Analytics workspaces support enabling data exfiltration protection for workspaces. With exfiltration protection, the logs and metrics cannot be sent out to the destination endpoints directly. You can create corresponding [managed private endpoints](../../synapse-analytics/security/synapse-workspace-managed-private-endpoints.md) for different destination endpoints or [create IP firewall rules](../../synapse-analytics/security/synapse-workspace-ip-firewall.md) in this scenario.
-
-
-
-
+Azure Synapse Analytics workspaces support enabling data exfiltration protection for workspaces. With exfiltration protection, the logs and metrics can't be sent out to the destination endpoints directly. You can create corresponding [managed private endpoints](../../synapse-analytics/security/synapse-workspace-managed-private-endpoints.md) for different destination endpoints or [create IP firewall rules](../../synapse-analytics/security/synapse-workspace-ip-firewall.md) in this scenario.

articles/synapse-analytics/spark/how-to-use-certificate-with-service-principalp-emit-log-event-hubs.md

@@ -0,0 +1,139 @@
+---
+title: How to use certificate and Service Principal emit log to Azure Event Hubs
+description: Learn to setting up Azure services, particularly focusing on integrating Azure Synapse with Azure Event Hubs and Key Vault.
+author: jejiang
+ms.author: jejiang
+ms.reviewer: whhender
+ms.topic: tutorial
+ms.date: 03/24/2025
+---
+
+# How to use certificate and service principal emit log to Azure Event Hubs
+
+The Apache Spark diagnostic emitter extension is a library that allows Spark applications to send logs, event logs, and metrics to destinations like Azure Event Hubs, Azure Log Analytics, and Azure Storage.
+
+In this tutorial, you learn how to create required Azure resources and configure a Spark application with a certificate and service principal to emit logs, event logs, and metrics to Azure Event Hubs using the Apache Spark diagnostic emitter extension.
+
+## Prerequisites
+
+- An Azure subscription. You can also [create a free account](https://azure.microsoft.com/free/) before you get started.
+- [Synapse Analytics workspace](/azure/synapse-analytics/get-started-create-workspace).
+- [Azure Event Hubs](/azure/event-hubs/event-hubs-about).
+- [Azure Key Vault](/azure/key-vault/general/overview)
+- [App Registration](https://ms.portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade)
+
+> [!Note]
+>
+> To complete this tutorial's steps, you need to have access to a resource group for which you're assigned the Owner role. 
+>
+
+## Step 1. Register an application
+
+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to [App registrations](/entra/identity-platform/quickstart-register-app#register-an-application).
+2. Create a new app registration for your Synapse workspace.
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\create-a-new-app-registration.png" alt-text="Screenshot showing create a new app registration.":::
+
+## Step 2. Generate a certificate in Key Vault
+
+1. Navigate to Key Vault.
+2. Expand the **Object**, and select the **Certificates**.
+3. Click on **Generate/Import**. 
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\generate-a-new-certificate.png" alt-text="Screenshot showing generate a new certificate for app.":::
+
+## Step 3. Trust the certificate in the application 
+
+1. Go to the app created in Step 1 -> **Manage** -> **Manifest**. 
+2. Append the certificate details to the manifest file to establish trust. 
+
+     ```
+          "trustedCertificateSubjects": [ 
+               { 
+               "authorityId": "00000000-0000-0000-0000-000000000001", 
+               "subjectName": "Your-Subject-of-Certificate", 
+               "revokedCertificateIdentifiers": [] 
+               } 
+          ] 
+     ```
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\trust-the-certificate.png" alt-text="Screenshot showing trust the certificate in the application.":::
+
+## Step 4. Assign Azure Event Hubs Data Sender Role 
+
+1. In Azure Event Hubs, navigate to Access control (IAM).
+2. Assign the Azure Event Hubs data sender role to the application (service principal).
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\assign-azure-event-hubs-data-sender-role.png" alt-text="Screenshot showing assign Azure event hubs data sender role.":::
+
+## Step 5. Create a linked service in Synapse
+
+1. In Synapse Analytics workspace, go to **Manage** -> **linked service**.
+2. Create a new **linked Service** in Synapse to connect to **Key Vault**. 
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\create-a-linked-service-in-synapse.png" alt-text="Screenshot showing create a linked service in synapse.":::
+
+## Step 6. Assign reader role to linked service in Key Vault
+
+1. Get the workspace managed identity ID from the linked service. The **managed identity name** and **object ID** for the linked service is under **Edit linked service**. 
+
+     :::image type="content" source="media\how-to-use-certificate-with-service-principalp-emit-log-event-hubs\managed-identity-name-and-object-id.png" alt-text="Screenshot showing managed identity name and object ID are in edit linked service.":::
+
+2. In **Key Vault**, assign the linked service a **Reader** role. 
+
+## Step 7. Configure with a linked service
+
+Gather the following values and add to the Apache Spark configuration.
+
+- **<EMITTER_NAME>**: The name for the emmiter.
+- **<CERTIFICATE_NAME>**: The certificate name that you generated in the key vault.
+- **<LINKED_SERVICE_NAME>**: The Azure Key vault linked service name.
+- **<EVENT_HUB_HOST_NAME>**: The Azure Event Hubs host name, you can find it in Azure Event Hubs Namespace -> Overview -> Host name.
+- **<SERVICE_PRINCIPAL_TENANT_ID>**: The service principal tenant ID, you can find it in App registrations -> your app name -> Overview -> Directory (tenant) ID
+- **<SERVICE_PRINCIPAL_CLIENT_ID>**: The service principal client ID, you can find it in registrations -> your app name -> Overview -> Application(client) ID
+- **<EVENT_HUB_ENTITY_PATH>**: The Azure Event Hubs entity path, you can find it in Azure Event Hubs Namespace -> Overview -> Host name.
+
+```
+     "spark.synapse.diagnostic.emitters": <EMITTER_NAME>,
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.type": "AzureEventHub",
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.categories": "DriverLog,ExecutorLog,EventLog,Metrics",
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.certificate.keyVault.certificateName": <CERTIFICATE_NAME>",
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.certificate.keyVault.linkedService": <LINKED_SERVICE_NAME>,
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.hostName": <EVENT_HUB_HOST_NAME>,
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.tenantId": <SERVICE_PRINCIPAL_TENANT_ID>,
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.clientId": <SERVICE_PRINCIPAL_CLIENT_ID>,
+     "spark.synapse.diagnostic.emitter.<EMITTER_NAME>.entityPath": <EVENT_HUB_ENTITY_PATH>
+```
+
+## Step 8. Submit an Apache Spark application and view the logs and metrics
+
+You can use the Apache Log4j library to write custom logs.
+
+Example for Scala:
+
+```scala
+%%spark
+val logger = org.apache.log4j.LogManager.getLogger("com.contoso.LoggerExample")
+logger.info("info message")
+logger.warn("warn message")
+logger.error("error message")
+//log exception
+try {
+      1/0
+ } catch {
+      case e:Exception =>logger.warn("Exception", e)
+}
+// run job for task level metrics
+val data = sc.parallelize(Seq(1,2,3,4)).toDF().count()
+```
+
+Example for PySpark:
+
+```python
+%%pyspark
+logger = sc._jvm.org.apache.log4j.LogManager.getLogger("com.contoso.PythonLoggerExample")
+logger.info("info message")
+logger.warn("warn message")
+logger.error("error message")
+```
+

articles/synapse-analytics/spark/media/how-to-use-certificate-with-service-principalp-emit-log-event-hubs/assign-azure-event-hubs-data-sender-role.png

@@ -816,10 +816,12 @@ items:
         href: ./spark/azure-synapse-diagnostic-emitters-azure-storage.md
       - name: Collect Apache Spark applications logs and metrics with Azure Event Hubs
         href: ./spark/azure-synapse-diagnostic-emitters-azure-eventhub.md
+      - name: Collect Apache Spark applications logs and metrics by certificate and service principal
+        href: ./spark/how-to-use-certificate-with-service-principalp-emit-log-event-hubs.md
       - name: Manage Apache Spark configuration
         href: ./spark/apache-spark-azure-create-spark-configuration.md
       - name: Apache Spark Advisor
-        href: ./monitoring/apache-spark-advisor.md          
+        href: ./monitoring/apache-spark-advisor.md
     - name: Data sources
       items:
         - name: Azure Cosmos DB Spark 3