Share via

Messages sent through Logs Ingestions API not seen in Log Analytics Workspace

Rutger Koperdraad 20 Reputation points
2025-08-06T22:16:07.07+00:00

We are having several app services that run .NET 8.0 web APIs and that send messages to the Log Ingestions API. To make that work, we use the following resources on Azure:

  • A Microsoft Entra Enterprise Application called Serilog with application ID 1d430e34-5bb3-4878-8f57-0ae02bd22b18.
  • A Log Analytic Workspace called cardexchange-prod with a custom-log table called Serilog_CL.
  • A Data Collection Endpoint called Serilog-Production.
  • A Data Collection Rule called Serilog-Production that references the Data Collection Endpoint and has a data source called Custom-Serilog_CL that references the Serilog_CL table in the Log Analytic Workspace.

This works fine for some of the app service, for example cardexchangecloudapi and CardExchangeCloudAuthEU. However, it does not work for others, for example CardExchangeCloudNyu and CardExchangeCloudNyuTest. The app services for which it does not work all share the same code base, but with different configuration files. The way the Log Ingestions API is called is the same as for the app services that work fine. We use Serilog with a custom sink that calls the Logs Ingestion API. The code for this sink is shared among all app services.

I cannot find any configuration error. In Azure, I cannot find any error condition related to failed calls between the services mentioned above. I am out of ideas on how I can further troubleshoot this issue.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
Accepted answer
  1. Rahul Jorrigala 3,655 Reputation points Microsoft External Staff Moderator
    2025-08-06T23:12:46.55+00:00

    Hello Rutger Koperdraad

    1. Validate Service Principal Permissions

    Ensure the service principal (App Registration) used by the failing App Services has same permissions as working app services.

    2. Check App Configuration for Auth

    Compare the App Settings of working vs non-working App Services:

    - TENANT_ID
- CLIENT_ID
- CLIENT_SECRET
- DCR_IMMUTABLE_ID
- LOGS_INGESTION_ENDPOINT
- TABLE_NAME

    Make sure there are no typos, whitespace issues, or missing values.

    3. Verify Token Acquisition

    Ensure the token is being acquired correctly using the service principal:

    POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=<client-id>
client_secret=<client-secret>
scope=https://monitor.azure.com/.default
grant_type=client_credentials

    Check if the token request is succeeding in the failing apps. You can log the token response or error.

    4. Inspect Logs Ingestion API Call

    Enable verbose logging in your custom Serilog sink to capture:

    • The exact request payload
    • The response status code and body
    • Any exceptions or retries

    Look for:

    • 401 Unauthorized → likely token or permission issue
    • 403 Forbidden → access denied to DCR or workspace
    • 400 Bad Request → malformed payload or wrong table name
    • 404 Not Found → incorrect DCR or endpoint

    5. Test the Service Principal Manually

    From your local machine or Azure Cloud Shell, try sending a test payload using the same service principal credentials. This can help isolate whether the issue is in the app service environment or the credentials/config.

    6. Check DCR Association

    Ensure that the Data Collection Rule used is adequately set up and includes the custom log table (Serilog_CL). If you’re using any transformations in the DCR, verify that they're correctly configured.

    Even with service principal auth, the DCR must be associated with the App Service resource (or its resource group/subscription).

    az monitor data-collection rule association list --resource <app-service-resource-id>

    If the association is missing, create it:

    az monitor data-collection rule association create \
  --name <association-name> \
  --resource <app-service-resource-id> \
  --rule <dcr-resource-id>

    7.Network and Firewall Issues

    Confirm that there are no firewall or network configuration issues preventing logs from being sent. This includes validating if the needed outbound traffic to Azure Monitor is allowed.

    Use the Kudu Console (https://<app-name>.scm.azurewebsites.net/DebugConsole) to Test outbound connectivity to the Logs Ingestion API endpoint. Run a simple PowerShell or curl command to simulate the ingestion call.

    Please let me know if you face any challenge here, I can help you to resolve this issue further

    If the comment was helpful, please click "Upvote"

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.