Log Insights on Azure Flex — Diagnostic Settings + Event Hub
Configure Azure Diagnostic Settings to stream PostgreSQL logs into MonPG via Event Hub.
The pipeline: Azure Flexible Server → Diagnostic Settings → Event Hub → MonPG collector consuming via AMQP. We recommend Event Hub over Log Analytics because it has native stream consumers, lower latency, and we can resume from a checkpointed offset if the collector restarts.
Create an Event Hub namespace
If you don't have one already:
az eventhubs namespace create --resource-group my-rg --name monpg-logs-ns --location westeurope --sku Basic
az eventhubs eventhub create --resource-group my-rg --namespace-name monpg-logs-ns --name postgres-logs --partition-count 2 --message-retention 1Create a Listen-only policy
This part matters: use a Listen-only Shared Access Policy. Don't reuse RootManageSharedAccessKey. Two reasons. One, principle of least privilege — MonPG only needs to consume, not publish or manage. Two, using a Manage-rights policy will eventually trigger "Listen claim required" errors when Azure tightens its scoping behavior.
az eventhubs eventhub authorization-rule create --resource-group my-rg --namespace-name monpg-logs-ns --eventhub-name postgres-logs --name monpg-listen --rights Listen
az eventhubs eventhub authorization-rule keys list --resource-group my-rg --namespace-name monpg-logs-ns --eventhub-name postgres-logs --name monpg-listen --query primaryConnectionString -o tsvRoute Flexible Server logs
az monitor diagnostic-settings create --resource "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.DBforPostgreSQL/flexibleServers/<server>" --name monpg-diag --event-hub monpg-logs-ns --event-hub-rule RootManageSharedAccessKey --logs '[{"category":"PostgreSQLLogs","enabled":true}]'The --event-hub-rule here is for Azure itself publishing to the hub; customers can only pick from existing namespace-level rules. It's distinct from the Listen rule we created above, which is for MonPG to consume. Easy to confuse, doesn't matter often, but worth knowing if the error message points one way and the docs point the other.
Paste the Listen connection string
Settings → Servers → [your server] → Azure cloud integration. Paste the connection string from the Listen rule. Click Test — MonPG joins as a consumer group member and reads a sample batch.
Alternative: metrics only via Service Principal
If you don't need logs and want lower-effort setup, skip Event Hub entirely and let MonPG pull metrics via Azure Monitor. Create a Service Principal with Monitoring Reader at subscription or resource group scope, paste tenant ID + client ID + client secret. No log pipeline, no Event Hub, just metrics.
Common errors
"Listen claim(s) are required": you used a Send or Manage policy. Create a Listen-only one. No events arriving: Diagnostic Settings doesn't actually target the Event Hub — re-check the routing step. Or PostgreSQLLogs category isn't enabled. "Not authorized" on namespace: the connection string came from a namespace-level rule when it should be eventhub-level (if you scoped to a specific hub). The CLI commands above scope to the eventhub level by default.