Azure Monitor Logs Sink

The Vector azure_monitor_logs sink sends logs to Azure Monitor logs.

Configuration

[sinks.my_sink_id]
# General
type = "azure_monitor_logs" # required
inputs = ["my-source-or-transform-id", "prefix-*"] # required
azure_resource_id = "/subscriptions/11111111-1111-1111-1111-111111111111/resourceGroups/otherResourceGroup/providers/Microsoft.Storage/storageAccounts/examplestorage" # optional, no default
customer_id = "5ce893d9-2c32-4b6c-91a9-b0887c2de2d6" # required
host = "ods.opinsights.azure.com" # optional, default
log_type = "MyTableName" # required
shared_key = "${AZURE_MONITOR_SHARED_KEY_ENV_VAR}" # required
# Encoding
# Healthcheck
healthcheck.enabled = true # optional, default
  • commonoptionalstring

    azure_resource_id

    Resource ID of the Azure resource the data should be associated with.

    • Syntax: literal
  • optionaltable

    batch

    Configures the sink batching behavior.

    • commonoptionaluint

      max_bytes

      The maximum size of a batch, in bytes, before it is flushed.

      • Default: 30000000 (bytes)
    • commonoptionaluint

      timeout_secs

      The maximum age of a batch before it is flushed. See Buffers & batches for more info.

      • Default: 1 (seconds)
  • optionaltable

    buffer

    Configures the sink specific buffer behavior.

    • commonoptionaluint

      max_events

      The maximum number of events allowed in the buffer. See Buffers & batches for more info.

      • Only relevant when: type = "memory"
      • Default: 500 (events)
    • commonrequired*uint

      max_size

      The maximum size of the buffer on the disk. See Buffers & batches for more info.

      • Only required when: type = "disk"
    • enumcommonoptionalstring

      type

      The buffer's type and storage mechanism.

      • Syntax: literal
      • Default: "memory"
      • Enum, must be one of: "memory" "disk"
    • enumoptionalstring

      when_full

      The behavior when the buffer becomes full.

      • Syntax: literal
      • Default: "block"
      • Enum, must be one of: "block" "drop_newest"
  • commonrequiredstring

    customer_id

    The unique identifier for the Log Analytics workspace.

    • Syntax: literal
  • commonrequiredtable

    encoding

    Configures the encoding specific sink behavior.

    • optional[string]

      except_fields

      Prevent the sink from encoding the specified labels.

    • optional[string]

      only_fields

      Prevent the sink from encoding the specified labels.

    • enumoptionalstring

      timestamp_format

      How to format event timestamps.

      • Syntax: literal
      • Default: "rfc3339"
      • Enum, must be one of: "rfc3339" "unix"
  • commonoptionaltable

    healthcheck

    Health check options for the sink. See Health checks for more info.

    • commonoptionalbool

      enabled

      Enables/disables the healthcheck upon Vector boot.

      • Default: true
  • commonoptionalstring

    host

    Alternative host for dedicated Azure regions.

    • Syntax: literal
    • Default: "ods.opinsights.azure.com"
  • commonrequiredstring

    log_type

    The record type of the data that is being submitted. Can only contain letters, numbers, and underscore (_), and may not exceed 100 characters.

    • Syntax: literal
  • commonrequiredstring

    shared_key

    The primary or the secondary key for the Log Analytics workspace.

    • Syntax: literal
  • optionaltable

    tls

    Configures the TLS options for incoming connections.

    • optionalstring

      ca_file

      Absolute path to an additional CA certificate file, in DER or PEM format (X.509), or an inline CA certificate in PEM format.

      • Syntax: literal
    • commonoptionalstring

      crt_file

      Absolute path to a certificate file used to identify this connection, in DER or PEM format (X.509) or PKCS#12, or an inline certificate in PEM format. If this is set and is not a PKCS#12 archive, key_file must also be set.

      • Syntax: literal
    • commonoptionalbool

      enabled

      Enable TLS during connections to the remote.

      • Default: true
    • commonoptionalstring

      key_file

      Absolute path to a private key file used to identify this connection, in DER or PEM format (PKCS#8), or an inline private key in PEM format. If this is set, crt_file must also be set.

      • Syntax: literal
    • optionalstring

      key_pass

      Pass phrase used to unlock the encrypted key file. This has no effect unless key_file is set.

      • Syntax: literal
    • optionalbool

      verify_certificate

      If true (the default), Vector will validate the TLS certificate of the remote host.

      • Default: true
    • optionalbool

      verify_hostname

      If true (the default), Vector will validate the configured remote host name against the remote host's TLS certificate. Do NOT set this to false unless you understand the risks of not verifying the remote hostname.

      • Default: true

Telemetry

This component provides the following metrics that can be retrieved through the internal_metrics source. See the metrics section in the monitoring page for more info.

  • counter

    events_in_total

    The total number of events accepted by this component. This metric includes the following tags:

    • component_kind - The Vector component kind.

    • component_name - The Vector component ID.

    • component_type - The Vector component type.

    • instance - The Vector instance identified by host and port.

    • job - The name of the job producing Vector metrics.

  • counter

    events_out_total

    The total number of events emitted by this component. This metric includes the following tags:

    • component_kind - The Vector component kind.

    • component_name - The Vector component ID.

    • component_type - The Vector component type.

    • instance - The Vector instance identified by host and port.

    • job - The name of the job producing Vector metrics.

How It Works

Buffers & batches

Buffers and Batches

This component buffers & batches data as shown in the diagram above. You'll notice that Vector treats these concepts differently, instead of treating them as global concepts, Vector treats them as sink specific concepts. This isolates sinks, ensuring services disruptions are contained and delivery guarantees are honored.

Batches are flushed when 1 of 2 conditions are met:

  1. The batch age meets or exceeds the configured timeout_secs.
  2. The batch size meets or exceeds the configured <% if component.options.batch.children.respond_to?(:max_size) %>max_size<% else %>max_events<% end %>.

Buffers are controlled via the buffer.* options.

Health checks

Health checks ensure that the downstream service is accessible and ready to accept data. This check is performed upon sink initialization. If the health check fails an error will be logged and Vector will proceed to start.

Require health checks

If you'd like to exit immediately upon a health check failure, you can pass the --require-healthy flag:

vector --config /etc/vector/vector.toml --require-healthy

Disable health checks

If you'd like to disable health checks for this sink you can set the healthcheck option to false.

State

This component is stateless, meaning its behavior is consistent across each input.

Transport Layer Security (TLS)

Vector uses Openssl for TLS protocols for it's maturity. You can enable and adjust TLS behavior via the tls.* options.