> ## Documentation Index
> Fetch the complete documentation index at: https://docs.golf.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Export Logs to Azure Sentinel

> Configure Microsoft Sentinel DCR-based log ingestion.

Configure Azure Sentinel export to send audit logs to Microsoft Sentinel using Data Collection Rules (DCR) for security monitoring and analytics.

## Prerequisites

Before configuring Golf Gateway, set up these Azure resources:

1. **Data Collection Endpoint (DCE)** - See [Create a DCE](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-endpoint-overview) in Microsoft documentation.
2. **Data Collection Rule (DCR)** with custom table `GolfGateway_CL` - See [Create a DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview) in Microsoft documentation.
3. **Service Principal** with `Monitoring Metrics Publisher` role on the DCR - See [Create service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) in Microsoft documentation.

You'll need:

* DCE Logs Ingestion endpoint URL
* DCR Immutable ID
* DCR Stream Name (default: `Custom-GolfGateway_CL`)
* Service Principal: Tenant ID, Client ID, Client Secret

## Configure Sentinel export

<Tabs>
  <Tab title="YAML">
    ```yaml theme={null}
    exporters:
      sentinel:
        - name: azure-sentinel
          enabled: true
          dcr_immutable_id: ${SENTINEL_DCR_ID}
          dcr_endpoint: https://my-dce.eastus.ingest.monitor.azure.com
          dcr_stream_name: Custom-GolfGateway_CL
          tenant_id: ${AZURE_TENANT_ID}
          client_id: ${AZURE_CLIENT_ID}
          client_secret: ${AZURE_CLIENT_SECRET}
    ```
  </Tab>

  <Tab title="Admin Portal">
    1. Go to **Connections** > **Add Connection**
    2. Select **Microsoft Sentinel**
    3. Enter DCR immutable ID and endpoint
    4. Enter service principal credentials
    5. Click **Test Connection**
    6. Click **Save**
  </Tab>
</Tabs>

## Verify export is working

1. Generate some gateway traffic
2. Wait for batch timeout (default: 10 seconds)
3. Query the `GolfGateway_CL` table in Log Analytics

See [Query logs in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-query-overview) for query syntax.

## Troubleshooting

* **401 Unauthorized**: Verify service principal credentials
* **403 Forbidden**: Check service principal has role on DCR
* **404 Not Found**: Verify DCR immutable ID is correct

## Related guides

* [Export Logs to Elasticsearch](/gateway/guides/audit-trail/export-to-elasticsearch) - ES export
* [Export Logs to OpenTelemetry](/gateway/guides/audit-trail/export-to-opentelemetry) - OTLP export