Azure Data Explorer Sink for Serilog

Use Serilog with Azure Data Explorer

Serilog is a popular diagnostic logging library, with support for many (many) destinations (called “sinks”). It supports sending traces and structured event data to the console, emails, databases (such as SQL servers, Azure CosmosDB, etc.).

Azure Data Explorer is a fully managed, high-performance, big data analytics platform that makes it easy to analyze high volumes of data in near real time. It is perfect for analyzing structured, semi-structured, and unstructured data, and makes it simple to extract key insights, spot patterns and trends, and is extremely useful for log analytics.

Coupling Serilog and Azure Data Explorer makes perfect sense, allowing developers to easily send logs and event data to their Azure Data Explorer clusters.

Serilog.Sinks.AzureDataExplorer is a Nuget package that provides a sink for the Serilog library with various features:

Getting started

Install from NuGet:

Install-Package Serilog.Sinks.AzureDataExplorer

How to use

var log = new LoggerConfiguration()
    .WriteTo.AzureDataExplorer(new AzureDataExplorerSinkOptions
    {
        IngestionEndpointUri = "https://ingest-mycluster.northeurope.kusto.windows.net",
        DatabaseName = "MyDatabase",
        TableName = "Serilogs"
    })
    .CreateLogger();

Options

Batching

  • BatchPostingLimit: The maximum number of events to post in a single batch. Defaults to 50.
  • Period: The time to wait between checking for event batches. Defaults to 2 seconds.
  • QueueSizeLimit: The maximum number of events that will be held in-memory while waiting to ship them to AzureDataExplorer. Beyond this limit, events will be dropped. The default is 100,000.

Target ADX Cluster

  • IngestionEndpointUri: Ingestion endpoint of the target ADX cluster.
  • DatabaseName: Database name where the events will be ingested.
  • TableName: Table name where the events will be ingested.
  • UseStreamingIngestion: Whether to use streaming ingestion (reduced latency, at the cost of reduced throughput) or queued ingestion (increased latency, but much higher throughput).

Mapping

Azure Data Explorer provides data mapping capabilities, allowing the ability to extract data rom the ingested JSONs as part of the ingestion. This allows paying a one-time cost of processing the JSON during ingestion, and reduced cost at query time.

By default, the sink uses the following data mapping:

Column NameColumn TypeJSON Path
Timestampdatetime $.Timestamp
Levelstring $.Level
Messagestring $.Message
Exceptionstring $.Exception
Propertiesdynamic $.Properties

This mapping can be overridden using the following options:

  • MappingName: Use a data mapping configured in ADX.
  • ColumnsMapping: Use an ingestion-time data mapping.

Authentication

The sink supports authentication using various methods. Use one of the following methods to configure the desired authentication methods:

new AzureDataExplorerSinkOptions()
    .WithXXX(...)
ModeMethodNotes
AadUserPromptWithAadUserPromptRecommended only development!
AadUserTokenWithAadUserToken
AadApplicationCertificateWithAadApplicationCertificate
AadApplicationKeyWithAadApplicationKey
AadApplicationSubjectNameWithAadApplicationSubjectName
AadApplicationThumbprintWithAadApplicationThumbprint
AadApplicationTokenWithAadApplicationToken
AadAzureTokenCredentialsWithAadAzureTokenCredentials