elastic · devamanv · Oct 12, 2025 · Oct 12, 2025 · alaudazzi · Oct 19, 2025
@@ -1,32 +1,37 @@
-# Azure Functions
+# Azure Functions Integration for Elastic
 
-The Azure Functions integration allows you to monitor Azure Functions. Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. 
+## Overview
+
+Azure Functions integration for Elastic enables collection of logs and metrics that give insight into the performance of your Azure Function Apps. The integration includes an out-of-the-box dashboard for visualising the monitoring data generated by apps hosted in Azure Functions.
+
+Azure Functions is an event-driven, serverless compute platform that helps you develop more efficiently using the programming language of your choice. Triggers cause a function to run. A trigger defines how a function is invoked and a function must have exactly one trigger. 
 
 Use Azure Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. Refer common [Azure Functions scenarios](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scenarios?pivots=programming-language-csharp) for more information.
 
-## Hosting plans and metrics
+### Compatibility
 
-Each Azure Functions app requires a hosting plan: Consumption plan, Flex Consumption plan, Premium plan, Dedicated plan, or Container Apps. For more details on the various plans, check the [Azure Functions hosting options](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale?WT.mc_id=Portal-WebsitesExtension).
+This integration is compatible with Azure Functions runtime version 4.x.
 
-These plans differ from eachother in the number of metrics they generate, which are then exported outside of Azure for other monitoring solutions like Elastic Observability. For example, metrics specific to Azure Function Apps, such as 'FunctionExecutionCount' and 'FunctionExecutionUnits', are only available for function apps operating on a Consumption (serverless) plan and are not observed in other plans. On the other hand, all other metrics are generated exclusively for Premium and Dedicated plans and are not available for the Consumption plan.
+Metrics are collected from the Azure Monitor provider `Microsoft.Web/sites` and are available for Function Apps running on Windows and Linux under Consumption, Premium, and Dedicated (App Service) plans.
 
-## Data streams
-The Azure Functions integration contains two data streams: [Function App Logs](#logs) and [Metrics](#metrics)
+Support for specific metrics may vary depending on the hosting plan and region. Some metrics (such as AppConnections and AverageMemoryWorkingSet) are available only for Premium and Dedicated plans. For more details on the various plans, check the [Azure Functions hosting options](https://learn.microsoft.com/en-us/azure/azure-functions/functions-scale?WT.mc_id=Portal-WebsitesExtension).
 
-### Logs
 
-Supported log categories:
+## What data does this integration collect?
 
-| Log Category                 | Description                                                                                                                          |
-|:----------------------------:|:------------------------------------------------------------------------------------------------------------------------------------:|
-| Functionapplogs | Function app logs.        |
+The Azure Functions integration collects data of the following types: 
+* [Function App Logs](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/functionapplogs) - detailed logs for function executions, errors, and diagnostic information
+* [Metrics](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-web-sites-metrics) - quantitative measurements of function performance and resource usage
 
+## What do I need to use this integration?
 
-#### Requirements and setup
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
 
 Refer to the [Azure Logs](https://docs.elastic.co/integrations/azure) page for more information about setting up and using this integration.
 
-#### Configuration options
+## How do I deploy this integration?
+
+### Configuration options
 `eventhub` :
   _string_
 An Event Hub is a fully managed, real-time data ingestion service. Elastic recommends using only letters, numbers, and the hyphen (-) character for Event Hub names to maximize compatibility. You can use existing Event Hubs having underscores (_) in the Event Hub name; in this case, the integration will replace underscores with hyphens (-) when it uses the Event Hub name to create dependent Azure resources behind the scenes (e.g., the storage account container to store Event Hub consumer offsets). Elastic also recommends using a separate event hub for each log type as the field mappings of each log type differ.
@@ -75,27 +80,11 @@ https://management.azure.com/
 https://management.usgovcloudapi.net/
 ```
 
-{{event "functionapplogs"}}
-
-**ECS Field Reference**
-
-Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields.
-
-{{fields "functionapplogs"}}
-
-### Metrics
-**Metrics** give you insight into the performance of your Azure Function Apps. The integration includes an out-of-the-box dashboard for visualising the monitoring data generated by apps hosted in Azure Functions.
-
-#### Requirements
-
 To use this integration you will need:
 
 * **Azure App Registration**: You need to set up an Azure App Registration to allow the Agent to access the Azure APIs. The App Registration requires the Monitoring Reader role to access to be able to collect metrics from Function Apps. See more details in the Setup section.
 * **Elasticsearch and Kibana**: You need Elasticsearch to store and search your data and Kibana to visualize and manage it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, the [Native Azure Integration](https://azuremarketplace.microsoft.com/en/marketplace/apps/elastic.ec-azure-pp?tab=overview), or self-manage the Elastic Stack on your hardware.
 
-#### Setup
-
-
 ```text
          ┌────────────────────┐       ┌─────────┐       ┌─-─────────────────────┐
          │                    │       │         │       │    azure.functions    │
@@ -111,7 +100,7 @@ To start collecting data with this integration, you need to:
 * Set up a new Azure app registration by registering an app, adding credentials, and assigning an appropriate role.
 * Specify integration [settings](#main-options) in Kibana, which will determine how the integration will access the Azure APIs.
 
-#### Register a new app
+### Register a new app
 
 To create a new app registration:
 
@@ -125,7 +114,7 @@ To create a new app registration:
 
 Take note of the **Application (client) ID**, which you will use later when specifying the **Client ID** in the integration settings.
 
-#### Add credentials
+### Add credentials
 
 Credentials allow your application to access Azure APIs and authenticate itself, requiring no interaction from a user at runtime.
 
@@ -139,7 +128,7 @@ This integration uses Client Secrets to prove its identity.
 
 Take note of the content in the **Value** column in the **Client secrets** table, which you will use later when specifying a **Client Secret** in the integration settings. **This secret value is never displayed again after you leave this page.** Record the secret's value in a safe place.
 
-#### Assign role
+### Assign role
 
 1. In the [Azure Portal](https://portal.azure.com/), search for and select **Subscriptions**.
 2. Select the subscription to assign the application.
@@ -159,14 +148,14 @@ Take note of the following values, which you will use later when specifying sett
 
 Your App Registration is now ready to be used with the Elastic Agent.
 
-#### Additional Resources
+### Additional Resources
 
 If you want to learn more about this process, you can read these two general guides from Microsoft:
 
 * [Quickstart: Register an application with the Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) 
 * [Use the portal to create an Azure AD application and service principal that can access resources](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
 
-#### Main options
+### Main options
 
 The settings' main section contains all the options needed to access the Azure APIs and collect the Azure Functions metrics data. You will now use all the values from [App registration](#register-a-new-app) including:
 
@@ -182,7 +171,7 @@ The settings' main section contains all the options needed to access the Azure A
 `Tenant ID` _string_
 : The unique identifier of the Azure Active Directory's Tenant ID.
 
-#### Advanced options
+### Advanced options
 
 There are two additional advanced options:
 
@@ -206,12 +195,42 @@ Examples:
 * `https://login.microsoftonline.com` for Azure PublicCloud
 * `https://login.microsoftonline.us` for Azure USGovernmentCloud
 
-#### Metrics Reference
+### Enable the integration in Elastic
 
-{{event "metrics"}}
+1. In Kibana navigate to **Management** > **Integrations**.
+2. In the search bar, type **Azure Functions**.
+3. Select the **Azure Functions** integration and add it.
+4. If needed, install Elastic Agent on the systems which receive syslog messages or log files.
+5. Enable and configure only the collection methods which you will use.
+
+    * **To collect logs via syslog over TCP**, you'll need to configure the syslog server host and port details.
 
-**ECS Field Reference**
+    * **To collect logs via syslog over UDP**, you'll need to configure the syslog server host and port details.
 
-Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields.
+    * **To collect logs via log file**, configure the file path patterns which will be monitored, in the Paths field.
+
+6. Press **Save Integration** to begin collecting logs.
-6. Press **Save Integration** to begin collecting logs.
+6. Click **Save Integration** to begin collecting logs.
-6. Press **Save Integration** to begin collecting logs.
+6. Click **Save Integration** to begin collecting logs.
+
+### Validate log collection
+
+1. In Kibana, navigate to **Dashboards**.
+2. In the search bar, type **Logs PANW**.
+3. Select a dashboard overview for the data type you are collecting, and verify the dashboard information is populated.
+
+## Reference
+
+### ECS field reference for Logs
+
+{{fields "functionapplogs"}}
+
+### Example event
+
+{{event "functionapplogs"}}
+
+### ECS field reference for Metrics
 
 {{fields "metrics"}}
+
+### Example event
+
+{{event "metrics"}}
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.12.0"
+  changes:
+    - description: Update dashboard and documentation.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15638
 - version: "0.11.0"
   changes:
     - description: Update the ingest pipeline to handle properties field as JSON object or string. 

@@ -29,7 +29,7 @@ resources:
     - resource_group: "{{this}}"
       resource_type: "Microsoft.Web/sites"
       metrics:
-        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
           namespace: "Microsoft.Web/sites"
           timegrain: "PT5M"
           ignore_unsupported: true
@@ -43,7 +43,7 @@ resources:
 {{#each resource_ids}}
     - resource_id: "{{this}}"
       metrics:
-        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
           namespace: "Microsoft.Web/sites"
           timegrain: "PT5M"
           ignore_unsupported: true
@@ -57,7 +57,7 @@ resources:
     {{#unless resource_groups }}
     - resource_query: "resourceType eq 'Microsoft.Web/sites'"
       metrics:
-        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "CurrentAssemblies", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
+        - name: ["FunctionExecutionCount", "FunctionExecutionUnits", "AppConnections", "AverageMemoryWorkingSet", "BytesReceived", "BytesSent", "Gen0Collections", "Gen1Collections", "Gen2Collections", "Handles", "HealthCheckStatus", "Http2xx", "Http3xx", "Http4xx", "Http5xx", "HttpResponseTime", "IoOtherBytesPerSecond", "IoOtherOperationsPerSecond", "IoReadBytesPerSecond", "IoReadOperationsPerSecond", "IoWriteBytesPerSecond", "IoWriteOperationsPerSecond", "MemoryWorkingSet", "Requests", "RequestsInApplicationQueue", "Threads", "TotalAppDomains", "TotalAppDomainsUnloaded"]
           namespace: "Microsoft.Web/sites"
           timegrain: "PT5M"
           ignore_unsupported: true