omazuredce batches JSON records and sends them to the Azure Monitor Logs Ingestion API by using a Data Collection Endpoint (DCE), Data Collection Rule (DCR), and Microsoft Entra client-credentials authentication.

omazuredce: Azure Monitor Logs Ingestion Output Module#

Module Name:

omazuredce

Author:

Jan Kängsepp

Available since:

v8.2604

Purpose#

This module provides native support for forwarding log data to the Azure Monitor Logs Ingestion API.

Each message rendered by the configured template must be a single JSON object. omazuredce collects those objects into a JSON array, requests an OAuth access token from Microsoft Entra ID, and posts the resulting batch to the configured Azure Data Collection Endpoint.

Notable Features#

  • Size-aware batching with a configurable max_batch_bytes limit

  • Timed flushing for partially filled batches via flush_timeout_ms

  • Automatic OAuth token acquisition for the https://monitor.azure.com/.default scope

  • Retry-friendly error handling that cooperates with rsyslog action suspension

Requirements#

To use omazuredce, you need the following:

  • libcurl support at build time

  • A valid Azure Data Collection Endpoint URL

  • A Data Collection Rule ID

  • A target stream or table name accepted by the DCR

  • A Microsoft Entra application with client_id, client_secret, and tenant_id values that can request tokens for https://monitor.azure.com/.default

  • A template that renders one valid JSON object per message, or the built-in StdJSONFmt default

The module is built only when ./configure is invoked with --enable-omazuredce=yes.

Configuration Parameters#

Note

Parameter names are case-insensitive; snake_case is used in the examples because the module’s parameter names contain underscores.

Note

This module supports action parameters only.

Action Parameters#

Parameter

Summary

template

Selects the rsyslog template used to render each message before it is added to the Azure ingestion batch.

client_id

Specifies the Microsoft Entra application client ID used for OAuth token requests.

client_secret

Supplies the client secret paired with client_id for OAuth token requests.

tenant_id

Sets the Microsoft Entra tenant used when requesting OAuth access tokens.

dce_url

Defines the Azure Data Collection Endpoint base URL used for batch submission.

dcr_id

Specifies the Azure Data Collection Rule immutable ID used in the ingestion URL.

table_name

Sets the stream or table name appended to the Azure ingestion request path.

max_batch_bytes

Limits the estimated total size of one Azure ingestion request, including the payload and HTTP overhead.

flush_timeout_ms

Controls how long a partially filled batch may stay idle before it is flushed.

Batching Behavior#

omazuredce builds one JSON array per worker and flushes it when one of the following happens:

  • Adding the next record would exceed max_batch_bytes

  • The action queue transaction ends and flush_timeout_ms is set to 0

  • The batch has been idle for at least flush_timeout_ms milliseconds

The internal size check is conservative. It includes both the JSON payload size and an estimate for HTTP headers before sending the request.

Error Handling#

The module obtains an OAuth access token before sending data. If Azure returns 401 Unauthorized for a batch request, the module refreshes the token and returns RS_RET_SUSPENDED. The failed batch is then retried by rsyslog’s central action engine according to the configured action backoff and retry settings. Other retryable HTTP failures follow the same RS_RET_SUSPENDED path.

If a rendered message is too large to fit into an empty batch under the current max_batch_bytes setting, the module logs an error and drops that record.

Example#

The following example renders each event as one JSON object and forwards it to Azure Monitor Logs Ingestion:

module(load="omazuredce")

template(name="tplAzureDce" type="list" option.jsonf="on") {
   property(outname="TimeGenerated" name="timereported" dateFormat="rfc3339" format="jsonf")
   property(outname="Host" name="hostname" format="jsonf")
   property(outname="AppName" name="app-name" format="jsonf")
   property(outname="Message" name="msg" format="jsonf")
}

action(
   type="omazuredce"
   template="tplAzureDce"
   client_id="<application-id>"
   client_secret="<client-secret>"
   tenant_id="<tenant-id>"
   dce_url="https://<dce-name>.<region>.ingest.monitor.azure.com"
   dcr_id="<dcr-id>"
   table_name="Custom-MyTable_CL"
   max_batch_bytes="1048576"
   flush_timeout_ms="2000"
)

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2026 Rainer Gerhards and others. Licensed under the Apache License 2.0.