This chapter covers Azure Monitor Diagnostic Settings, a critical mechanism for collecting and routing resource-level logs and metrics for security analysis. On the AZ-500 exam, this topic appears in approximately 5-10% of questions, often in the context of configuring security monitoring for Azure resources. Understanding diagnostic settings is essential for implementing effective security operations, as they enable the ingestion of audit logs, performance metrics, and activity data into Log Analytics workspaces, storage accounts, or Event Hubs for further analysis and alerting. You will learn how to configure diagnostic settings, understand their interaction with Azure Policy and Azure Sentinel, and avoid common misconfigurations that can lead to security gaps.
Jump to a section
Think of Azure Monitor Diagnostic Settings as a building's security camera system. The cameras (diagnostic settings) are placed at specific locations (Azure resources) to record events (metrics and logs) happening in those areas. The recordings are stored in a central security office (Log Analytics workspace or storage account) where security personnel (analysts) can review them for incidents. The camera system has a DVR (diagnostic settings configuration) that determines which cameras record, what resolution (log categories) they capture, and how long recordings are kept (retention policy). Just as a security guard can set motion detection to only record when movement occurs (resource-level diagnostic settings), Azure allows granular control over which logs are collected. If a camera is misconfigured to not record a critical area, you miss evidence of a break-in—similarly, missing diagnostic settings on a key resource like a key vault can blind your security monitoring. The system also integrates with a central alarm panel (Azure Sentinel) that can trigger alerts based on camera feeds, enabling real-time response to suspicious activities.
What Are Azure Monitor Diagnostic Settings?
Azure Monitor Diagnostic Settings are a configuration feature on each Azure resource that defines which logs and metrics are collected and where they are sent. They are the primary mechanism for exporting resource-level operational data—such as platform logs, activity logs, and performance counters—to destinations for analysis, archiving, or streaming. Without diagnostic settings, most Azure resources generate logs internally but do not make them accessible for external querying or alerting. Diagnostic settings bridge that gap by enabling a continuous flow of data from the resource to one or more of three destination types: a Log Analytics workspace (for querying and alerting), an Azure Storage account (for long-term archival and low-cost storage), or an Azure Event Hubs (for real-time streaming to third-party SIEM tools or custom applications).
Why Diagnostic Settings Matter for Security
From a security perspective, diagnostic settings are the foundation of detection and investigation. For example, Azure Key Vault logs all access attempts to secrets and keys, but those logs are only available if you configure a diagnostic setting to send them to a Log Analytics workspace. Without this, you cannot detect unauthorized access attempts or audit key usage. Similarly, Azure SQL Database audit logs are only accessible via diagnostic settings. The AZ-500 exam emphasizes that diagnostic settings are required to enable security monitoring for resources like Key Vault, SQL Database, Network Security Groups (NSGs), and Azure Firewall. Without them, these resources are effectively invisible to your security operations center (SOC).
How Diagnostic Settings Work: The Mechanism
When you enable a diagnostic setting on a resource, Azure Monitor begins collecting data from the resource's platform-level logs and metrics. The process is as follows:
Resource emits logs/metrics: Every Azure resource generates internal diagnostic data, such as AuditEvent logs for Key Vault, SQLInsights logs for SQL Database, or NetworkSecurityGroupRuleCounter for NSGs. These logs are held temporarily in the resource's own buffer.
Diagnostic setting subscription: The diagnostic setting acts as an event subscription—it registers with the resource to receive a stream of log and metric data. This is similar to an event hub consumer group but at the resource level.
Data routing: The setting specifies one or more destinations. For each destination, you can choose which log categories and metrics to send. The data is then routed via Azure Monitor's internal pipeline to the selected destinations.
4. Destination ingestion:
- Log Analytics workspace: Data is ingested into a table specific to the resource type (e.g., KeyVaultAuditLogs, SQLSecurityAuditEvents). Ingestion is near real-time, typically within 2-5 minutes.
- Storage account: Data is written to blobs in a container named insights-logs-<category> with a path structure including date and time. Data is flushed every few minutes or when a certain size threshold is reached.
- Event Hubs: Data is streamed as events to an Event Hubs namespace, where external systems can consume it. Latency is typically under 1 minute.
Retention and lifecycle: For Log Analytics, you set a retention period (default 30 days, up to 730 days for pay-as-you-go, or 2 years for dedicated clusters). For storage, you can apply a lifecycle management policy to delete old blobs. For Event Hubs, retention is set on the event hub itself (default 1 day, up to 7 days).
Key Components and Defaults
Log categories: Each resource type defines its own set of log categories. For example, Azure Key Vault has AuditEvent and AzurePolicyEvaluationDetails. Not all categories are enabled by default; you must explicitly select them in the diagnostic setting.
Metrics: Resources emit platform metrics (e.g., CPU percentage, IOPS) that can also be sent to Log Analytics or storage. These are often used for performance monitoring but also for security (e.g., unusual resource consumption).
Destinations: You can send data to up to five destinations per diagnostic setting. However, you can only have one diagnostic setting per resource (though you can send to multiple destinations within that setting).
Time filters: There is no built-in time filter—once enabled, the setting collects all logs from that point forward. To exclude historical data, you must configure the setting at resource creation or after a specific time.
Cost: Sending logs to Log Analytics incurs ingestion and retention costs. Storage is cheaper but not queryable. Event Hubs incurs throughput costs.
Configuration and Verification
You can configure diagnostic settings via the Azure portal, PowerShell, Azure CLI, or ARM templates. The portal interface is straightforward: navigate to the resource, click "Diagnostic settings" under "Monitoring," then add a setting. You must specify a name, select the destinations, and choose the log categories and metrics.
Azure CLI example:
az monitor diagnostic-settings create \
--resource /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vault} \
--name "KeyVaultDiagnostics" \
--workspace /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace} \
--logs '[
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 90,
"enabled": true
}
}
]' \
--metrics '[
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 90,
"enabled": true
}
}
]'Verification: To verify that logs are flowing, query the Log Analytics workspace:
KeyVaultAuditLogs
| where TimeGenerated > ago(1h)
| countIf the count is zero, check the diagnostic setting configuration and ensure the resource is generating logs.
Interaction with Related Technologies
Azure Policy: You can use Azure Policy to automatically deploy diagnostic settings to all resources of a certain type. For example, a policy can enforce that all Key Vaults have a diagnostic setting sending logs to a central Log Analytics workspace. This is a common security baseline (e.g., Azure Security Benchmark).
Azure Sentinel: Sentinel uses Log Analytics workspaces as its data source. Diagnostic settings are the primary way to ingest resource logs into Sentinel for security detection and investigation.
Azure Activity Log: The Activity Log is a separate subscription-level log that records control plane operations. It is automatically sent to Log Analytics if you configure a diagnostic setting for the Activity Log (under the subscription's diagnostic settings). Resource-level diagnostic settings complement the Activity Log by capturing data plane operations.
Azure Monitor Alerts: Alerts can be configured on log queries against Log Analytics. For example, you can create an alert that fires when multiple failed Key Vault access attempts occur within 5 minutes.
Common Pitfalls and Exam Traps
Only one diagnostic setting per resource: You cannot have multiple diagnostic settings on the same resource. To send to multiple destinations, you must include all destinations in a single setting.
Diagnostic settings are not retroactive: They only collect logs from the moment they are enabled. Historical logs are not available unless previously collected.
Some resources require specific log categories: For example, Azure SQL Database has mandatory audit logs that must be enabled via diagnostic settings; if not, security monitoring is blind.
Retention policy at the destination: Setting retention in the diagnostic setting only applies to Log Analytics. For storage, you must use lifecycle management; for Event Hubs, retention is set on the event hub itself.
Cost implications: Sending all logs to Log Analytics can be expensive. Use storage for archival and Log Analytics for active querying.
Step-by-Step Configuration Walkthrough
Identify the resource (e.g., a Key Vault).
Navigate to Diagnostic settings under the Monitoring section.
Click "+ Add diagnostic setting".
Name the setting (e.g., "SecurityAudit").
Select destinations: Check "Send to Log Analytics workspace" and choose the workspace. Optionally, also check "Archive to storage account" or "Stream to event hub".
Select log categories: Check all relevant categories (e.g., AuditEvent for Key Vault). For security, include all categories unless cost is a concern.
Select metrics: Check "AllMetrics" if needed.
Configure retention: For Log Analytics, set retention days (e.g., 365 days for compliance).
Save.
Verify: Query the Log Analytics workspace to confirm data ingestion.
Advanced: Using ARM Templates for Deployment
For IaC, you can define diagnostic settings in an ARM template. Example snippet:
{
"type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('vaultName'), '/Microsoft.Insights/service')]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "AuditEvent",
"enabled": true,
"retentionPolicy": {
"days": 90,
"enabled": true
}
}
],
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 90,
"enabled": true
}
}
]
}
}Summary of Exam-Relevant Points
Diagnostic settings are per-resource, not per-subscription (except for the Activity Log).
They can send logs to Log Analytics, Storage, or Event Hubs.
Only one diagnostic setting per resource.
Retention is set at the destination; in the setting, it only applies to Log Analytics.
Azure Policy can enforce diagnostic settings across resources.
Common exam scenario: You need to enable diagnostic settings on Key Vault to detect unauthorized access.
Another scenario: You configure diagnostic settings on NSG to collect flow logs for network security analysis.
By mastering diagnostic settings, you ensure that your Azure environment is observable and that security events are captured for analysis and alerting—a core responsibility of a security engineer.
Identify the target Azure resource
Begin by determining which Azure resource requires diagnostic logging. Common resources for security include Key Vaults, SQL Databases, Network Security Groups, Azure Firewalls, and Azure AD (via diagnostic settings for the tenant). For example, to audit secret access, you need a Key Vault. The resource must exist in your subscription. Note that some resources like Azure VMs do not have platform-level diagnostic settings; instead, they use the Log Analytics agent or Azure Monitor Agent for guest OS logs.
Navigate to Diagnostic settings blade
In the Azure portal, go to the resource's overview page. Under the 'Monitoring' section, click 'Diagnostic settings'. If no settings exist, you will see a blank page with an 'Add diagnostic setting' button. If a setting already exists, you can edit it (but remember, only one setting is allowed per resource). This blade lists all current diagnostic settings for that resource.
Choose destination type(s)
Select one or more destinations: Send to Log Analytics workspace (for querying and alerting), Archive to storage account (for low-cost retention), or Stream to event hub (for real-time integration). For security operations, Log Analytics is most common because it enables KQL queries and Azure Sentinel integration. You can select multiple destinations, but all must be defined in a single setting.
Select log categories and metrics
Check the boxes for the log categories you need. For security, enable all categories unless cost is a concern. For example, Key Vault has 'AuditEvent' (all data plane operations) and 'AzurePolicyEvaluationDetails'. Metrics like 'AllMetrics' capture performance data. Some categories may be disabled by default; you must enable them. The exam tests that you know which categories exist for specific resources.
Configure retention policy
Set the retention period for Log Analytics (in days). The default is 30 days, but you can increase it up to 730 days (2 years) for pay-as-you-go workspaces, or up to 2 years for dedicated clusters. For storage, retention is not set here; you must use Azure Storage lifecycle management. For Event Hubs, retention is set on the event hub itself (1-7 days). The exam often tests that retention in the diagnostic setting only applies to Log Analytics.
Save and verify data ingestion
Click 'Save' to create the diagnostic setting. Within a few minutes, logs should start flowing to the selected destinations. To verify, query the Log Analytics workspace using KQL: `KeyVaultAuditLogs | count`. If no data appears, check that the resource is generating logs (e.g., perform a test operation) and that the workspace is in the same region (cross-region ingestion is supported but may have additional latency). Also confirm the setting is enabled.
Enterprise Scenario 1: Centralized Security Monitoring for Key Vaults
A financial services company uses Azure Key Vault to store customer encryption keys and secrets. Their security operations center (SOC) needs to monitor all access attempts to detect anomalies such as repeated failed access or access from unexpected locations. The solution is to configure diagnostic settings on each Key Vault to send AuditEvent logs to a central Log Analytics workspace. The workspace is integrated with Azure Sentinel for advanced detection rules. In production, the company has 50+ Key Vaults across multiple subscriptions. They use Azure Policy to enforce that every Key Vault has a diagnostic setting with a specific Log Analytics workspace and 365-day retention. A common issue is that developers sometimes create Key Vaults outside the policy scope, leading to blind spots. To mitigate, they run a weekly Azure Resource Graph query to find Key Vaults without diagnostic settings. Performance considerations: Ingestion of AuditEvent logs is low volume (a few MB per day per vault), so cost is minimal. However, if they mistakenly enable all metrics (which are high-volume), costs can spike. They use a separate diagnostic setting for metrics to a storage account to save costs.
Enterprise Scenario 2: Network Security Group Flow Logs for Threat Detection
A large e-commerce company uses Network Security Groups (NSGs) to control traffic to their web servers. To detect network anomalies like port scanning or data exfiltration, they need NSG flow logs. They configure diagnostic settings on each NSG to send flow logs (category: 'NetworkSecurityGroupFlowEvent') to a Log Analytics workspace. The logs are then analyzed using KQL queries to identify unusual traffic patterns. In production, they have hundreds of NSGs. One challenge is that enabling flow logs on all NSGs can generate terabytes of data per day, leading to high ingestion costs. They mitigate by setting a retention of only 7 days in Log Analytics and archiving to storage for 90 days. A common misconfiguration is forgetting to enable the flow log category—only the default categories are selected. The exam tests that NSG flow logs require an explicit diagnostic setting; they are not enabled by default. Another pitfall is that flow logs are only generated for NSGs attached to subnets or network interfaces; unattached NSGs produce no logs.
Enterprise Scenario 3: Real-Time SIEM Integration with Event Hubs
A healthcare organization is required to stream audit logs from Azure SQL Database to their on-premises SIEM (Splunk) for real-time compliance monitoring. They configure diagnostic settings on each SQL database to stream to an Azure Event Hubs namespace. The Event Hubs is then consumed by Splunk via the Azure Event Hubs add-on. In production, they have 20 SQL databases. They must ensure the Event Hubs throughput units are sufficient to handle peak log rates (e.g., 1 MB/s). A common issue is that the diagnostic setting is created but the event hub is not accessible due to network restrictions (e.g., firewall or private endpoints). They also need to set the event hub retention to at least 1 day to handle temporary Splunk outages. The exam tests that streaming to Event Hubs is the only way to get near-real-time logs for external SIEMs, and that you must configure the event hub's consumer group appropriately to avoid conflicts.
What AZ-500 Tests on Diagnostic Settings
The AZ-500 exam (Objective 4.2: Configure security monitoring) includes diagnostic settings in several contexts: - Key Vault logging (most tested): You must know that to audit Key Vault access, you need to enable diagnostic settings for the 'AuditEvent' category. The exam may ask which destination to use for long-term retention (storage) vs. active querying (Log Analytics). - SQL Database auditing: Diagnostic settings are required to export SQL audit logs. The exam tests that you must enable 'SQLSecurityAuditEvents' category. - NSG flow logs: You must configure diagnostic settings for 'NetworkSecurityGroupFlowEvent' and 'NetworkSecurityGroupRuleCounter' categories. The exam often asks where to send flow logs for analysis (Log Analytics) or archival (storage). - Azure Activity Log: Subscription-level diagnostic settings can send the Activity Log to Log Analytics, storage, or Event Hubs. This is separate from resource-level settings. - Azure Policy: You may be asked how to enforce diagnostic settings across resources using Azure Policy (deployIfNotExists effect).
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "Diagnostic settings can be configured at the subscription level to cover all resources." Why candidates choose it: They confuse resource-level diagnostic settings with the Activity Log diagnostic setting, which is subscription-level. However, resource-level settings are per-resource; there is no single setting that covers all resources. The correct answer is that you must configure each resource individually or use Azure Policy.
2. Wrong answer: "You can have multiple diagnostic settings on a single resource to send to different destinations." Why candidates choose it: It seems logical to have separate settings for different destinations. But Azure allows only one diagnostic setting per resource. To send to multiple destinations, you must include all in one setting.
3. Wrong answer: "Retention policy set in the diagnostic setting applies to all destinations." Why candidates choose it: The retention field appears in the diagnostic setting UI, so they assume it applies everywhere. In reality, retention only applies to Log Analytics. For storage, you need lifecycle management; for Event Hubs, retention is set on the event hub.
4. Wrong answer: "Diagnostic settings collect historical logs from before the setting was enabled." Why candidates choose it: They think Azure Monitor backfills data. However, diagnostic settings only collect logs from the moment they are enabled. No retrospective collection occurs.
Specific Numbers and Terms on the Exam
Retention: 30 days default, 730 days max (pay-as-you-go), 2 years (dedicated clusters).
Destinations: Log Analytics, Storage, Event Hubs (three only).
Log categories: 'AuditEvent' (Key Vault), 'SQLSecurityAuditEvents' (SQL), 'NetworkSecurityGroupFlowEvent' (NSG), 'AzureFirewallApplicationRule' (Firewall).
Policy effect: 'DeployIfNotExists' to automatically deploy diagnostic settings.
Maximum of 5 destinations per setting.
Only one diagnostic setting per resource.
Edge Cases and Exceptions
Azure AD diagnostic settings: These are tenant-level, not resource-level. You configure them under Azure AD > Diagnostic settings. They send sign-in logs and audit logs to Log Analytics.
Azure Kubernetes Service (AKS): AKS diagnostic settings are configured at the cluster level to collect control plane logs (kube-apiserver, kube-controller-manager, etc.).
Azure Firewall: Diagnostic settings can send application rule logs, network rule logs, and DNS proxy logs. You must enable each category separately.
Cost management: The exam may ask which destination is cheapest for long-term archival (storage) vs. which is best for real-time analysis (Event Hubs).
How to Eliminate Wrong Answers
If a question asks about sending logs to multiple destinations, remember that only one setting is allowed, but it can have multiple destinations. So the answer that says "create multiple diagnostic settings" is wrong.
If a question asks about retention, check the destination. For Log Analytics, retention is set in the diagnostic setting; for storage, it's lifecycle management.
If a question asks about historical data, the answer is that diagnostic settings do not collect historical data.
If a question asks about enabling logging for a resource, the correct answer is to configure a diagnostic setting. Do not confuse with Azure Monitor Agent or Log Analytics agent (those are for VMs).
Diagnostic settings are per-resource and only one setting is allowed per resource.
They can send logs to Log Analytics, Storage, or Event Hubs (up to 5 destinations per setting).
Retention policy in the setting applies only to Log Analytics; for storage, use lifecycle management.
Log categories are resource-specific; e.g., Key Vault uses 'AuditEvent', SQL uses 'SQLSecurityAuditEvents'.
Diagnostic settings do not collect historical logs—only logs from the moment they are enabled.
Azure Policy can enforce diagnostic settings across resources using DeployIfNotExists effect.
Common exam resources: Key Vault, SQL Database, NSG, Azure Firewall, AKS.
For real-time streaming to external SIEM, use Event Hubs destination.
These come up on the exam all the time. Here's how to tell them apart.
Log Analytics Workspace
Supports real-time querying using KQL for security analysis.
Integrates with Azure Sentinel and Azure Monitor Alerts.
Ingestion and retention costs are higher than storage.
Retention policy can be set in the diagnostic setting (30-730 days).
Best for active monitoring and alerting.
Azure Storage Account
Provides low-cost long-term archival of logs.
Logs are stored as blobs; querying requires exporting to a query tool.
No built-in alerting; must use Azure Storage Analytics or external tools.
Retention managed via lifecycle management policies (not in diagnostic setting).
Best for compliance and audit retention.
Mistake
Diagnostic settings collect all logs automatically when a resource is created.
Correct
Diagnostic settings must be explicitly configured. By default, no logs are sent to Log Analytics, storage, or Event Hubs. You must create a diagnostic setting for each resource you want to monitor.
Mistake
You can have multiple diagnostic settings on a single resource to send different log categories to different destinations.
Correct
Only one diagnostic setting is allowed per resource. However, that single setting can include multiple destinations and select which log categories go to each destination (though all selected categories go to all destinations). To send different categories to different destinations, you must use a different approach like Azure Functions to filter and route.
Mistake
Retention policy set in the diagnostic setting applies to all destinations.
Correct
The retention policy in the diagnostic setting only applies to the Log Analytics workspace destination. For storage accounts, you must configure lifecycle management policies separately. For Event Hubs, retention is configured on the event hub itself.
Mistake
Diagnostic settings can send logs to any Log Analytics workspace regardless of region.
Correct
Cross-region ingestion is supported (e.g., a resource in East US can send logs to a workspace in West Europe), but there may be additional latency and egress costs. There is no regional restriction, but it's a best practice to keep resources and workspace in the same region for performance and cost.
Mistake
Enabling diagnostic settings on a resource automatically enables security monitoring in Azure Sentinel.
Correct
Diagnostic settings send logs to Log Analytics, which can be a data source for Azure Sentinel. However, you must also onboard Sentinel to that workspace and create detection rules. Diagnostic settings alone do not enable Sentinel.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You cannot enable diagnostic settings for multiple resources in a single action from the portal. You must configure each resource individually or use Azure Policy with the 'DeployIfNotExists' effect to automatically deploy diagnostic settings when resources are created. Alternatively, you can use PowerShell or Azure CLI scripts to loop through resources and apply settings.
Diagnostic settings collect platform-level logs and metrics from Azure resources (e.g., Key Vault audit logs, NSG flow logs). The Log Analytics agent (or Azure Monitor Agent) is installed on virtual machines to collect guest OS logs and performance data. Diagnostic settings do not require an agent; they are built into the resource. For VMs, you need both: diagnostic settings for the VM's host metrics (if available) and an agent for guest OS.
Yes, you can send logs to up to five destinations, which can include multiple Log Analytics workspaces. However, you must include all workspaces in a single diagnostic setting. If you need to send different log categories to different workspaces, that is not possible in a single setting; you would need to use a custom solution like Azure Functions to route logs.
Retention for storage is not set in the diagnostic setting. You must configure an Azure Storage lifecycle management rule on the storage account. For example, you can create a rule that deletes blobs older than 90 days in the 'insights-logs-*' containers. The diagnostic setting only defines the destination and which logs to send.
When you delete a diagnostic setting, log collection stops immediately. Any logs that were in transit may still be delivered, but no new logs will be sent. Historical logs previously stored in the destinations remain (unless deleted by retention policies). To resume collection, you must create a new diagnostic setting.
Yes, you can send logs to a Log Analytics workspace or storage account that uses a private endpoint. However, the resource generating logs must be able to communicate with the destination over the private network. For Event Hubs, private endpoints are also supported. Ensure that the resource's virtual network can reach the private endpoint.
After configuring a diagnostic setting, wait a few minutes and then query the Log Analytics workspace using KQL. For example, for Key Vault logs, run: `KeyVaultAuditLogs | take 10`. If no results appear, perform an action on the resource (e.g., access a secret) and re-query. You can also check the diagnostic setting's status in the portal; it should show 'Succeeded'.
You've just covered Azure Monitor Diagnostic Settings for Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?