Azure Log Connector’s polling behavior is controlled through the appsettings.json file located in the installation directory. Polling settings determine how frequently the connector checks Microsoft APIs for new events, how many records are retrieved per cycle, and which log categories are enabled for collection. This article covers each setting and the recommended configuration for most environments.
Locating the configuration file:
The appsettings.json file is located in the Azure Log Connector installation directory:
C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\appsettings.json
Open the file using a text editor running as Administrator. After making any changes, save the file and restart the service for changes to take effect:
net stop LTA_AzureLogCollector
net start LTA_AzureLogCollector
Polling configuration section:
The polling behavior is defined in the Polling section of appsettings.json:
“Polling”: {
“IntervalSeconds”: 300,
“BatchSize”: 250,
“LookbackMinutesOnStart”: 60,
“PullSignIns”: true,
“PullDirectoryAudits”: true,
“PullProvisioning”: false,
“PullSharePoint”: true,
“SaveRawResponses”: false,
“SharePointDelayMinutes”: 30,
“SharePointLookbackDays”: 7
}
Polling settings reference:
IntervalSeconds How often in seconds the connector checks Microsoft Azure for new events.
| Value | Description |
| 300 | Poll every 5 minutes โ recommended for most environments |
| Lower values | More frequent polling โ increases API usage |
| Higher values | Less frequent polling โ reduces API usage but increases event delay |
BatchSize The maximum number of records retrieved from the Microsoft API during each polling cycle.
| Value | Description |
| 250 | Recommended default |
| Lower values | Smaller batches โ may require more cycles to retrieve all events |
| Higher values | Larger batches โ may impact performance in high-volume environments |
LookbackMinutesOnStart When the service starts or restarts, it retrieves events going back the specified number of minutes. This prevents events from being missed during downtime or restart periods.
| Value | Description |
| 60 | Look back 60 minutes on startup โ recommended default |
| Higher values | Longer lookback โ useful after extended downtime |
| 0 | No lookback โ only collect new events from the time of startup |
PullSignIns Controls whether Azure Sign-In logs are collected.
| Value | Description |
| true | Sign-In logs are collected โ recommended |
| false | Sign-In log collection is disabled |
Requires Microsoft Entra ID P1 or P2 license.
PullDirectoryAudits Controls whether Microsoft Entra ID audit logs are collected.
| Value | Description |
| true | Entra ID audit logs are collected โ recommended |
| false | Entra ID audit log collection is disabled |
Available with Microsoft Entra ID Free and above.
PullProvisioning Controls whether Azure provisioning logs are collected.
| Value | Description |
| true | Provisioning logs are collected |
| false | Provisioning log collection is disabled โ default |
[Your administrator should enable this setting if your organization uses Azure AD provisioning and provisioning activity is in scope for monitoring.]
PullSharePoint Controls whether SharePoint Online and OneDrive activity logs are collected.
| Value | Description |
| true | SharePoint Online and OneDrive logs are collected โ recommended |
| false | SharePoint and OneDrive collection is disabled |
Requires Microsoft 365 Business Standard or above and the ActivityFeed.Read Office 365 Management API permission.
SaveRawResponses When enabled, saves raw Microsoft API responses locally for troubleshooting purposes.
| Value | Description |
| false | Raw responses are not saved โ recommended for normal operation |
| true | Raw API responses are saved locally โ enable only when troubleshooting |
Enable SaveRawResponses only when actively troubleshooting API or collection issues. Leaving it enabled in normal operation will consume significant disk space over time.
SharePointDelayMinutes Introduces a delay before collecting SharePoint and OneDrive events. This allows Microsoft 365 audit events sufficient time to become available in the Office 365 Management API before the connector attempts to retrieve them.
| Value | Description |
| 30 | Wait 30 minutes before collecting SharePoint and OneDrive events โ recommended default |
| Lower values | Shorter delay โ may result in missing events not yet available in the API |
| Higher values | Longer delay โ events are collected later but with higher availability confidence |
SharePointLookbackDays Specifies how many days back the connector searches for SharePoint and OneDrive events during startup or recovery operations.
| Value | Description |
| 7 | Look back 7 days for SharePoint and OneDrive events โ recommended default |
| Higher values | Longer lookback โ useful after extended outages |
| Lower values | Shorter lookback โ reduces startup recovery time |
Recommended configuration:
For most environments the following settings are recommended:
“Polling”: {
“IntervalSeconds”: 300,
“BatchSize”: 250,
“LookbackMinutesOnStart”: 60,
“PullSignIns”: true,
“PullDirectoryAudits”: true,
“PullProvisioning”: false,
“PullSharePoint”: true,
“SaveRawResponses”: false,
“SharePointDelayMinutes”: 30,
“SharePointLookbackDays”: 7
}
These settings provide near real-time monitoring while maintaining efficient API usage against Microsoft Graph and the Office 365 Management API.
[Your administrator should adjust PullProvisioning to true if Azure AD provisioning activity is in scope for your environment, and review license availability before enabling PullSignIns and PullSharePoint.]
Applying configuration changes:
After editing and saving appsettings.json, restart the service to apply the changes:
net stop LTA_AzureLogCollector
net start LTA_AzureLogCollector
Confirm the service restarts successfully:
sc query LTA_AzureLogCollector
Review the application logs to confirm the updated polling settings are active:
C:\Program Files\Blue Lance 2-0\LTA_AzureLogCollector\logs