💡 Before you start
This method is currently used to ingest the following Microsoft logs:
📘Note
This article outlines the process of connecting new Azure logs to Hunters. To learn how to migrate existing Azure data flows from Blob Storage to Azure Event Hub, click here.
This article describes how to set up Azure Event Hub as a collection method of Azure logs. The steps listed below are based on the general guidelines appearing in this guide from Microsoft, with additional Hunters-specific information. As you follow the guide, make sure to read through each section before performing the steps on the Azure portal.
⚠️Attention
You can configure this collection for a specific consumer group.
When setting up this collection method, make sure the configured Event Hub and Consumer Group pair are not used by any other consumer other than Hunters (including other Hunters integrations), and that each of Hunters' data types have their own Event Hub, as we currently do not support multiple data types per Event Hub.
STEP 1: Set up the required Resource Provider in the Event Hubs subscription
In this step you will make sure your Azure subscription has the right resource providers activated.
Follow the steps in this section to make sure your subscription is registered to the required resource provider.
Save the Subscription ID value. You will need it when finalizing the connection on the Hunters platform.
STEP 2: Set up Microsoft Entra App Registration
In this step you will register an app for Hunters to use as it listens to your logs. Note that when you register an app you are also creating a corresponding service principal.
Follow the steps in this section to set up Microsoft Entra app registration.
Save the information items below (you will need them when finalizing the connection on the Hunters platform):
Directory (tenant) ID
Application (client) ID
Application (client) secret
STEP 3: Set up Event Hubs namespace and add permissions
Follow the steps in this section to set up an Events Hub namespace and add permissions.
When setting up the Event Hub namespace, fill in the following:
Resource group - Select the resource group where your service principal is located.
Namespace name - As this namespace is dedicated to Hunters integrations, we suggest naming it Hunters.
Location - Select your zone.
Pricing tier - Select Standard or higher. This is required for a 7-day retention period.
Throughput units - Set to 10.
Enable Auto-Inflate - Activate.
Auto-Inflate Maximum Throughput Units - Set to 20.
Give Hunters service principle permissions to the event hub namespaces:
Open the namespace you’ve just created.
Navigate to Access Control (IAM) and click Add > Add role assignment to create a new permission.
Under Role > Job function roles, search for Azure Event Hubs Data Receiver role, and then select it from the list and click Next.
.png?sv=2022-11-02&spr=https&st=2025-04-20T02%3A06%3A36Z&se=2025-04-20T02%3A19%3A36Z&sr=c&sp=r&sig=VqksUXBs89Lz7sReHbINymM3cNhtH4dIl8WJwA6n8SU%3D)
Under the Members tab > Assign access to, select User, group, or service principal. Then click + Select members and find the application you registered in the previous step. Select it and click Review + assign.
.png?sv=2022-11-02&spr=https&st=2025-04-20T02%3A06%3A36Z&se=2025-04-20T02%3A19%3A36Z&sr=c&sp=r&sig=VqksUXBs89Lz7sReHbINymM3cNhtH4dIl8WJwA6n8SU%3D)
Repeat the process for the Log Analytics Reader role.
Save the information items below (you will need them when finalizing the connection on the Hunters platform):
Resource group name
Event Hub namespace
STEP 4: Create an Event Hub
⚠️Attention
Make sure the Event Hub is not used by any other consumer other than Hunters.
Follow the steps in this section to set up an Event Hub.
When setting up the Event Hub, consider the following:
For each datatype you want to share with Hunters, create a separate Event Hub with a distinguishable name.
Each Event Hub should be configured with a number of partitions, where each partition is expected to have up to 250KB/s. If the expected throughput is 2MB/s, you should configure 8 partitions. A minimum of 4 partitions is recommended, to backfill data quickly in cases of failure. If you know you'll deliver high-volume data, go for the maximum of 32 partitions. Partitions do not cost money.
Save the Event Hub name. You will need it when finalizing the connection on the Hunters platform.
STEP 5: Route logs to the Event Hub
Each data type requires a different process to route logs to the Event Hub. Consult the relevant article: