Tutorial: Stream Azure Active Directory logs to an Azure event hub

In this tutorial, you learn how to set up Azure Monitor diagnostics settings to stream Azure Active Directory (Azure AD) logs to an Azure event hub. Use this mechanism to integrate your logs with third-party Security Information and Event Management (SIEM) tools, such as Splunk and QRadar.


To use this feature, you need:

  • An Azure subscription. If you don't have an Azure subscription, you can sign up for a free trial.
  • An Azure AD tenant.
  • A user who's a global administrator or security administrator for the Azure AD tenant.
  • An Event Hubs namespace and an event hub in your Azure subscription. Learn how to create an event hub.

Stream logs to an event hub

  1. Sign in to the Azure portal.

  2. Select Azure Active Directory > Monitoring > Audit logs.

  3. Select Export Settings.

  4. In the Diagnostics settings pane, do either of the following:

    • To change existing settings, select Edit setting.

    • To add new settings, select Add diagnostics setting.
      You can have up to three settings.

      Export settings

  5. Select the Stream to an event hub check box, and then select Event Hub/Configure.

  6. Select the Azure subscription and Event Hubs namespace that you want to route the logs to.
    The subscription and Event Hubs namespace must both be associated with the Azure AD tenant that the logs stream from. You can also specify an event hub within the Event Hubs namespace to which logs should be sent. If no event hub is specified, an event hub is created in the namespace with the default name insights-logs-audit.

  7. Select OK to exit the event hub configuration.

  8. Do either or both of the following:

    • To send audit logs to the event hub, select the AuditLogs check box.
    • To send sign-in logs to the event hub, select the SignInLogs check box.
  9. Select Save to save the setting.

    Diagnostics settings

  10. After about 15 minutes, verify that events are displayed in your event hub. To do so, go to the event hub from the portal and verify that the incoming messages count is greater than zero.

    Audit logs

Access data from your event hub

After data is displayed in the event hub, you can access and read the data in two ways:

Next steps