I am unable to send the logs to the log analytics workspace in order to monitor the service principal sign in logs.
I have a service principal in azure. I want to send its signin logs to a log analytics workspace in order to monitor and later setup alerts on them. But when I follow these steps https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs I cannot see any logs in my log analytics workspace.
I can finally see the logs in the log analytics. Had to follow these steps only https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-integrate-activity-logs-with-azure-monitor-logs but instead of 15 min I had to wait for ~2 hours for the logs to be visible.
Steps to direct service principal logs to the log analytics workspace. Prerequisites:
Security Administrator role assigned.Steps, from the document:
- Sign in to the Microsoft Entra admin center as at least a Security Administrator.
- Browse to Identity > Monitoring & health > Diagnostic settings. You can also select Export Settings from either the Audit Logs or Sign-ins page.
- Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.
- Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.
- Select the log categories that you want to stream. (In my case I had to select the
ServicePrincipalSignInLogscategory)- Under Destination Details select the Send to Log Analytics workspace check box.
- Select the appropriate Subscription and Log Analytics workspace from the menus.
- Select the Save button.
As per the doc, we should see the logs getting streamed in the workspace after about ~15 min but it might take longer as well.