Goals

1. Extend the ClusterLogging Operator's API with a new Azure output type utilizing the Log Ingestion API.
2. Allow authentication using short-lived federated token credentials with the Log Ingestion API.
3. Allow authentication using static long-lived credentials with the Log Ingestion API.

Non Goals

• To provide an automated migration from Azure Monitor Logs to the Azure Log Ingestion API. We expect administrators to need to manually change the output given the credentials and other related fields do not necessarily translate

Motivation

Azure Monitor Logs is deprecated and intended to no longer be supported 2026-Sept. The Azure Log Ingestion API replaces Azure Monitor Logs and vector has a pending PR to support this sink. Additionally, implementing the new sink will allow us to design the CLF API to better support short-lived tokens and align the UX with other cloud providers (e.g. AWS).

Acceptance Criteria

• Verify log collectors can successfully forward to Azure Monitor Logs using the Log Ingestion API
• Verify log collectors can successfully forward logs to Azure Monitor Logs using long lived credentials via a credential secret.
• Verify log collectors can successfully forward logs to Azure Monitor Logs using the short lived token provided by a WIF enabled Azure provider

Risk and Assumptions

• As of v6.2, CLO relies on v0.37.1 of OpenShift Vector. OpenShift's Vector will have to be upgraded; however, the upgrade is currently blocked by the Rust version for RHEL.

Documentation

• Document the pre-reqs needed for an Azure WIF enabled platform to receive logs and provide authorization to the collector
• Document the support of using Azure Monitor Logs with a WIF enabled Azure
• Document this is only supported for deployments of vector as the log collection agent
• Document the long lived credential authorization pre-reqs for Azure Monitor Logs.