Table of Contents
Can You Forward Azure Activity and Audit Logs Directly to Event Grid?
Prepare for AZ-500 exam by learning the correct destinations for Azure activity and audit logs. Understand why Event Grid is not a valid target for log forwarding and discover the three supported options: Azure Storage, Log Analytics, and Event Hub.
Question
You can send activity and audit logs to Event Grid.
A. FALSE
B. TRUE
Answer
A. FALSE
Explanation
The correct answer is A. FALSE. Azure activity logs and audit logs cannot be sent directly to Azure Event Grid. The supported destinations for these logs are limited to Azure Storage accounts, Log Analytics workspaces, and Azure Event Hubs.
Audit data may be sent to Azure Storage, Log Analytics, or Event Hub.
Supported Log Destinations
Azure provides three specific “sinks” or destinations where activity and audit logs can be forwarded through diagnostic settings:
- Azure Storage Account: Used for long-term, cost-effective archival of log data. Logs are stored as JSON files in blob containers, making this option ideal for compliance requirements where logs must be retained for extended periods but don’t need frequent analysis.
- Log Analytics Workspace: The primary destination for interactive log analysis and monitoring. When logs are sent here, they can be queried using Kusto Query Language (KQL), visualized in dashboards, and used to create alerts. This is essential for active security monitoring and operational insights.
- Azure Event Hub: A high-throughput streaming platform that enables real-time forwarding of log data to external systems. This is commonly used to send logs to third-party SIEM solutions like Splunk or custom analytics platforms.
Why Event Grid Is Not Supported
Azure Event Grid serves a fundamentally different purpose from the log forwarding destinations. Event Grid is designed for event-driven architectures where discrete events (such as “a resource was created” or “a blob was uploaded”) are routed to subscribers for reactive processing.
The key distinction is that Event Grid handles individual events that represent state changes, while activity and audit logs represent continuous streams of data containing detailed operational information. Event Grid is not architected to handle the high volume, continuous flow of log data that characterizes activity and audit logging.
Practical Implications
Understanding this limitation is crucial for designing Azure monitoring and security architectures. If you need to trigger automated responses based on specific log entries, the correct approach is to:
- Send logs to a Log Analytics workspace
- Create alert rules that query the logs
- Configure action groups that can trigger Event Grid events or directly invoke Logic Apps, Functions, or other response mechanisms
This architectural pattern maintains the separation between log aggregation (handled by the three supported destinations) and event-driven automation (handled by Event Grid and other response systems).
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.