Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
If you configured operation event logging for Azure Cloud HSM, you already have a working diagnostic setting on your Cloud HSM cluster that routes HsmServiceOperations logs to Storage and Log Analytics. To add Event Hubs as a destination, add a third destination to that same diagnostic setting or create a new one that targets Event Hubs.
Azure Monitor diagnostic settings support multiple destinations simultaneously. Because your Log Analytics pipeline already proves that log emission from Cloud HSM is working, Event Hubs becomes another destination receiving the same HsmServiceOperations category.
In this tutorial, you:
- Create an Event Hub namespace and event hub for Cloud HSM logs.
- Configure authorization rules with least-privilege permissions.
- Update diagnostic settings to stream logs to Event Hubs.
- Verify that Event Hubs receives Cloud HSM operation events.
Prerequisites
- A deployed and activated Azure Cloud HSM resource. For more information, see the Azure Cloud HSM onboarding guide.
- Diagnostic settings emitting operation event logs to Storage and Log Analytics. For more information, see Configure and query operation event logging for Azure Cloud HSM.
ContributororMonitoring Contributorrole on the Cloud HSM resource group.
Verify the logs resource group exists
Event Hubs should deploy into the same resource group that contains your storage account and Log Analytics workspace for operational event logging. If you didn't set up operational event logging, first follow the guidance in Configure and query operation event logging for Azure Cloud HSM.
Verify that your targeted resource group exists:
az group show --name "<resource-group>" --query "{name:name, location:location}" --output table
Create an Event Hubs namespace
The namespace is the container that holds one or more event hubs. Use the Standard tier, which is required for diagnostic settings integration.
az eventhubs namespace create \
--name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--location "<location>" \
--sku Standard \
--capacity 1 \
--enable-auto-inflate false
Key options:
- Standard SKU: The Basic tier doesn't support diagnostic settings as a destination.
- Capacity 1: One throughput unit (1-MB/s ingress, 2-MB/s egress) is sufficient for HSM audit logs.
- Autoinflate disabled: HSM log volume is low, so autoinflate isn't necessary.
Create an event hub inside the namespace
To receive the Cloud HSM logs, create an event hub inside the namespace.
az eventhubs eventhub create \
--name "cloudhsm-logs" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--partition-count 2 \
--retention-time-in-hours 168 \
--cleanup-policy Delete
Key options:
- Partition count 2: Two partitions are sufficient for HSM audit log throughput.
- Retention time 168 hours: Keep messages for seven days (the maximum for Standard tier).
- Cleanup policy Delete: Delete messages after the retention period expires.
Create a consumer group
Create a dedicated consumer group for downstream processing. Reserve the default $Default group for other uses.
az eventhubs eventhub consumer-group create \
--name "azure-cloud-hsm" \
--namespace-name "<eventhub-namespace>" \
--eventhub-name "cloudhsm-logs" \
--resource-group "<resource-group>"
Create an authorization rule
Diagnostic settings need Send permission to push logs into the event hub. Create a shared access policy with only the required permission.
az eventhubs namespace authorization-rule create \
--name "DiagnosticSettingsSendRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--rights Send
Note
This rule grants only Send permission, not Listen, or Manage. Follow the principle of least privilege. Your downstream consumers (such as Azure Functions or Stream Analytics) should use a separate rule with Listen permission.
Get the authorization rule resource ID
Retrieve the authorization rule resource ID for use in the diagnostic setting.
authRuleId=$(az eventhubs namespace authorization-rule show \
--name "DiagnosticSettingsSendRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--query id --output tsv)
echo "Auth Rule ID: $authRuleId"
Save this value for use in the next step.
Update the diagnostic setting to add Event Hubs
You have two options for adding Event Hubs as a destination:
Option A: Update the existing diagnostic setting (recommended)
This approach updates your existing diagnostic setting to add Event Hubs while keeping Storage and Log Analytics.
# Set your resource group variables
hsmResourceGroup="<resource-group>"
logsResourceGroup="<resource-group>"
# Find the HSM cluster name (auto-generated during deployment)
hsmClusterName=$(az resource list \
--resource-group $hsmResourceGroup \
--resource-type Microsoft.HardwareSecurityModules/cloudHsmClusters \
--query "[0].name" --output tsv)
echo "HSM Cluster: $hsmClusterName"
# Get the HSM cluster resource ID
hsmResourceId=$(az resource show \
--resource-group $hsmResourceGroup \
--resource-type Microsoft.HardwareSecurityModules/cloudHsmClusters \
--name $hsmClusterName \
--query id --output tsv)
# Get your existing storage account ID
storageAccountId=$(az storage account list \
--resource-group $logsResourceGroup \
--query "[0].id" --output tsv)
# Get your existing Log Analytics workspace ID
workspaceId=$(az monitor log-analytics workspace list \
--resource-group $logsResourceGroup \
--query "[0].id" --output tsv)
# Get the Event Hub auth rule ID
authRuleId=$(az eventhubs namespace authorization-rule show \
--name "DiagnosticSettingsSendRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group $logsResourceGroup \
--query id --output tsv)
# Update the diagnostic setting with all three destinations
az monitor diagnostic-settings create \
--name "<diagnostic-setting-name>" \
--resource $hsmResourceId \
--storage-account $storageAccountId \
--workspace $workspaceId \
--event-hub "cloudhsm-logs" \
--event-hub-rule $authRuleId \
--logs '[{"category":"HsmServiceOperations","enabled":true}]'
Important
Both CLI and PowerShell commands replace the entire diagnostic setting if the name matches an existing one. You must include the storage account and workspace again, or those destinations are removed.
Option B: Create a separate diagnostic setting for Event Hubs only
If you prefer to keep your existing setting unchanged and add a second one,
# Find the HSM cluster name
hsmClusterName=$(az resource list \
--resource-group "<resource-group>" \
--resource-type Microsoft.HardwareSecurityModules/cloudHsmClusters \
--query "[0].name" --output tsv)
hsmResourceId=$(az resource show \
--resource-group "<resource-group>" \
--resource-type Microsoft.HardwareSecurityModules/cloudHsmClusters \
--name $hsmClusterName \
--query id --output tsv)
authRuleId=$(az eventhubs namespace authorization-rule show \
--name "DiagnosticSettingsSendRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--query id --output tsv)
az monitor diagnostic-settings create \
--name "chsm-eventhub-diagnostic-setting" \
--resource $hsmResourceId \
--event-hub "cloudhsm-logs" \
--event-hub-rule $authRuleId \
--logs '[{"category":"HsmServiceOperations","enabled":true}]'
Note
Azure supports up to five diagnostic settings per resource. A second setting is valid and keeps concerns separated.
Verify Event Hubs is receiving messages
After you configure the diagnostic setting, verify that Event Hubs is receiving Cloud HSM logs.
Check the diagnostic setting in the portal
- In the Azure portal, go to your Cloud HSM cluster.
- Under Monitoring, select Diagnostic settings.
- Confirm that Event Hubs is listed as a destination.
Check Event Hubs metrics
Run the following command to check incoming messages over the last hour:
# Get your subscription ID
subId=$(az account show --query id --output tsv)
# Check incoming messages (last 1 hour)
az monitor metrics list \
--resource "/subscriptions/$subId/resourceGroups/<resource-group>/providers/Microsoft.EventHub/namespaces/<eventhub-namespace>" \
--metric "SuccessfulRequests" \
--interval PT1H \
--output table
View messages (optional)
If you want to read a few messages to confirm content, create a Listen rule:
# Create a Listen rule for your consumer
az eventhubs namespace authorization-rule create \
--name "ConsumerListenRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--rights Listen
# Get the connection string
az eventhubs namespace authorization-rule keys list \
--name "ConsumerListenRule" \
--namespace-name "<eventhub-namespace>" \
--resource-group "<resource-group>" \
--query primaryConnectionString --output tsv
You can use this connection string with Azure Event Hubs Explorer, the Visual Studio Code Event Hubs extension, or a Python script to view messages.