Install Log Forwarder via ARM template

Resources created with ARM template include Function App, App Service Plan and Application Insights service. Optionally, a new Event Hub namespace and Event Hub instance can be created.

To install Log Forwarder via ARM template:

  1. From Azure Console, select Create a resource, search for template and then select Template deployment > Create.

  2. Select Build your own template in editor.

  3. Select Load File and upload pty_forward_arm_v2.json. Click Save.

  4. Select Resource Group.

  5. Specify Name for the resources (All resources will be prefixed with Protegrity-Forward).

  6. For Location input specify Azure region name or leave default to deploy in the same region as resource group

  7. For Storage Account Blob Service Url Optionally use the value recorded in Create Storage Account. If value is not given, it will be automatically derived from Forward Function Blob Url.

  8. For Forward Function Blob Url use the value from Upload Files.

  9. For Function Sku either EP1 or EP3 are recommended. Note that this will affect the running cost.

  10. For Function Sku Count Minimum number of workers to keep active.

  11. For WorkSpace Sku Azure Monitor log analytics pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

  12. For Log Retention In Days The workSpace data retention in days. Allowed values are per pricing plan. See Azure Monitor Pricing tiers documentation for details: Azure Monitor Pricing

  13. For Forward Logs to ESA select whether to collect audit logs from a new or an existing Event Hub. A new Event Hub namespace and new Event Hub instance will be created for ‘From new Event Hub’ option.

  14. For Audit Log Output select whether to send logs directly to Audit Store or td-agent on ESA

  15. For Event Hub Namespace enter Event Hub namespace name. Depending on previous option, a new namespace with this name will be created or an existing namespace with this name will be used.

  16. For New Event Hub Namespace Sku Name select Event Hub namespace SKU name. Applicable only when ‘From new Event Hub’ is selected.

  17. For New Event Hub Namespace Sku Tier select Event Hub namespace SKU Tier used for new Event Hub namespace. Applicable only when ‘From new Event Hub’ is selected.

  18. For New Event Hub Namespace Sku Capacity enter a value of Event Hub throughput units for Basic or Standard tiers, where value should be 0 to 20 throughput units. The Event Hubs premium units for Premium tier, where value should be 0 to 10 premium units. Applicable only when ‘From new Event Hub’ is selected.

  19. For Event Hub Name enter Event Hub instance name. A new Event Hub instance with this name will be created or an existing Event Hub instance with this name will be used.

  20. For Event Hub Name DLQ enter Event Hub name for the dead-letter queue, where messages will be delivered to in case connection to ESA is lost. A new Event Hub instance with this name will be created or an existing Event Hub with this name will be used.

  21. For New Event Hub Partition Count enter number of partitions to create in a new Event Hub. Allowed values are from 1 to 32 partitions. Applicable only when ‘From new Event Hub’ is selected.

  22. For New Event Hub Audit Log Retention In Days enter number of days audit logs will be available in Event Hub. Applies to both primary Event Hub and dead-letter queue Event Hub. Applicable only when ‘From new Event Hub’ is selected.

  23. For Log Destination Esa Ip enter ESA IP address.

  24. For Esa Client Cert enter single-line ESA client certificate. See section Certificate Authentication for details.

  25. For Esa Client Cert Key Secret Name enter secret name which stores ESA client certificate single-line private key. See section Certificate Authentication for details.

  26. For Key Vault Uri enter URI of the Key Vault that stores ESA username/password secrets.

  27. For Esa Tls Disable Cert Verify Set to ‘0’ to enable ESA certificate validation. Set to ‘1’ to disable ESA certificate verification. Disable only for initial setup and development purposes, do not disable in production environments.

  28. If ESA is configured with self-signed certificate, set Pty Esa Ca Server Cert. Use the ESA CA Server Certificate escaped content recorded in Certificates on ESA.

    Note that for development and troubleshooting purposes, ESA certificate validation can be disabled by either redeploying this function with this ARM template where Esa Tls Disable Cert Verify option is set to ‘1’ or by directly setting PTY_ESA_DISABLE_TLS_CERT_VERIFY environment variable to ‘1’.

  29. For Esa Connect Timeout set time in seconds to wait for the ESA connection response. Minimum value: 1. Default: 5.

  30. For Esa Virtual Host provide ESA virtual hostname. This configuration is optional. It can be used when proxy server is present and supports TLS SNI extension.

  31. For Min Log Level select minimum log level. Accepted values: off, severe, warning, info, config, all

  32. Select Review + create then Create. Wait for all resources to deploy

After deployment is complete:

  1. Go to Outputs and record:

    Forward Function Name (ForwardFuncName):__________________

  2. Record:

    Event Hub Name (EventHubName):__________________

    Event Hub Namespace (EventHubNamespace):__________________


Last modified : February 17, 2026