diff --git a/dev-infrastructure/configurations/region.tmpl.bicepparam b/dev-infrastructure/configurations/region.tmpl.bicepparam
index 71e797f47..e15ef944b 100644
--- a/dev-infrastructure/configurations/region.tmpl.bicepparam
+++ b/dev-infrastructure/configurations/region.tmpl.bicepparam
@@ -21,3 +21,6 @@ param maestroCertificateIssuer = '{{ .maestro.certIssuer }}'
 
 // MI for resource access during pipeline runs
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
+
+// Log Analytics Workspace ID will be passed from region pipeline if enabled in config
+param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/modules/maestro/maestro-infra.bicep b/dev-infrastructure/modules/maestro/maestro-infra.bicep
index 913c97bdb..b84520c26 100644
--- a/dev-infrastructure/modules/maestro/maestro-infra.bicep
+++ b/dev-infrastructure/modules/maestro/maestro-infra.bicep
@@ -24,6 +24,9 @@ param maxClientSessionsPerAuthName int
 ])
 param publicNetworkAccess string
 
+@description('Log Analytics Workspace ID if logging to Log Analytics')
+param logAnalyticsWorkspaceId string = ''
+
 param certificateIssuer string
 
 //
@@ -53,6 +56,44 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-12-15-preview'
   }
 }
 
+resource eventGridNamespaceDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (logAnalyticsWorkspaceId != '') {
+  scope: eventGridNamespace
+  name: eventGridNamespaceName
+  properties: {
+    logs: [
+      {
+        category: 'SuccessfulMqttConnections'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttConnections'
+        enabled: true
+      }
+      {
+        category: 'MqttDisconnections'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttPublishedMessages'
+        enabled: true
+      }
+      {
+        category: 'FailedMqttSubscriptionOperations'
+        enabled: true
+      }
+      {
+        category: 'SuccessfulHttpDataPlaneOperations'
+        enabled: true
+      }
+      {
+        category: 'FailedHttpDataPlaneOperations'
+        enabled: true
+      }
+    ]
+    workspaceId: logAnalyticsWorkspaceId
+  }
+}
+
 // find a better way to register the OneCert
 resource certificateSignerCA 'Microsoft.EventGrid/namespaces/caCertificates@2024-12-15-preview' = if (startsWith(
   certificateIssuer,
diff --git a/dev-infrastructure/region-pipeline.yaml b/dev-infrastructure/region-pipeline.yaml
index b89c72d71..5063419ef 100644
--- a/dev-infrastructure/region-pipeline.yaml
+++ b/dev-infrastructure/region-pipeline.yaml
@@ -45,6 +45,10 @@ resourceGroups:
         input:
           step: global-output
           name: svcParentZoneResourceId
+      - name: logAnalyticsWorkspaceId
+        input:
+          step: global-output
+          name: logAnalyticsWorkspaceId
     dependsOn:
     - global-output
   - name: metrics-infra
diff --git a/dev-infrastructure/templates/region.bicep b/dev-infrastructure/templates/region.bicep
index 723d266f4..af9cb3b18 100644
--- a/dev-infrastructure/templates/region.bicep
+++ b/dev-infrastructure/templates/region.bicep
@@ -42,6 +42,9 @@ param svcAcrResourceId string
 @description('MSI that will be used during pipeline runs')
 param aroDevopsMsiId string
 
+// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
+param logAnalyticsWorkspaceId string = ''
+
 import * as res from '../modules/resource.bicep'
 
 // Tags the resource group
@@ -155,5 +158,6 @@ module maestroInfra '../modules/maestro/maestro-infra.bicep' = {
     maxClientSessionsPerAuthName: maestroEventGridMaxClientSessionsPerAuthName
     publicNetworkAccess: maestroEventGridPrivate ? 'Disabled' : 'Enabled'
     certificateIssuer: maestroCertificateIssuer
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceId
   }
 }