Diagnostic Settings

Diagnostic settings in Azure Monitor let you route platform logs and metrics from Azure resources to different sinks such as Log Analytics workspaces, Azure Storage accounts, or Event Hubs. This enables you to retain, analyze, and act on telemetry for security, compliance, and operational monitoring.

Key concepts

• Categories: The type of data you can collect (e.g., AuditLogs, OperationLogs).
• Destinations: Where the data is sent – Log Analytics, Storage, or Event Hub.
• Retention: How long data is kept in the destination.
• Permissions: The Azure role required to create or modify diagnostic settings (Microsoft.Insights/diagnosticSettings/write).

Create a diagnostic setting via the portal

1. Navigate to the resource you want to monitor (e.g., a Virtual Machine or Azure SQL).
2. Select Diagnostic settings under the Monitoring section.
3. Click Add diagnostic setting.
4. Choose a name, select the log and metric categories you need.
5. Pick one or more destinations (Log Analytics, Storage Account, Event Hub).
6. Save the setting.

Configure via Azure CLI

Below is an example that sends AuditLogs and OperationLogs to a Log Analytics workspace.

az monitor diagnostic-settings create \
    --name "myDiagSetting" \
    --resource-id "/subscriptions/xxxx-xxxx-xxxx-xxxx/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM" \
    --workspace "/subscriptions/xxxx-xxxx-xxxx-xxxx/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myLogAnalytics" \
    --logs '[{"category":"AuditLogs","enabled":true},{"category":"OperationLogs","enabled":true}]' \
    --metrics '[{"category":"AllMetrics","enabled":true}]'

Configure via ARM template

Deploy diagnostic settings as part of your infrastructure as code.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.Insights/diagnosticSettings",
      "apiVersion": "2021-05-01-preview",
      "name": "[concat(parameters('resourceName'), '/myDiagSetting')]",
      "dependsOn": [
        "[resourceId('Microsoft.Compute/virtualMachines', parameters('resourceName'))]"
      ],
      "properties": {
        "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspace'))]",
        "logs": [
          {
            "category": "AuditLogs",
            "enabled": true,
            "retentionPolicy": {
              "enabled": false,
              "days": 0
            }
          },
          {
            "category": "OperationLogs",
            "enabled": true,
            "retentionPolicy": {
              "enabled": false,
              "days": 0
            }
          }
        ],
        "metrics": [
          {
            "category": "AllMetrics",
            "enabled": true,
            "retentionPolicy": {
              "enabled": false,
              "days": 0
            }
          }
        ]
      }
    }
  ],
  "parameters": {
    "resourceName": {
      "type": "string"
    },
    "logAnalyticsWorkspace": {
      "type": "string"
    }
  }
}

Copy code snippets

Click the button on each code block to copy it to your clipboard.

Best practices

• Enable All Logs and All Metrics for new resources, then filter later.
• Send logs to a dedicated Log Analytics workspace per environment (dev, test, prod).
• Use Event Hub when you need to stream data to third‑party SIEM solutions.
• Set retention policies according to compliance requirements.
• Automate diagnostic setting creation with IaC (ARM, Bicep, Terraform).