I'm facing a situation where our security team insists on using their own Log Analytics Workspace (LAW), but we want to stick to a centralized LAW since many services like AKS and SQL don't support having multiple LAW setups. How are others managing this dilemma? Is it really best practice to have a central LAW and handle Role-Based Access Control (RBAC) as needed?
8 Answers
If your Security Operations Center (SOC) isn’t actively monitoring the data, consider sending it to a less expensive storage solution like Azure Data Explorer (ADX). For example, performance logs might not need to be in a LAW if they aren't being used regularly.
You should definitely consider using policies for these setups. Managing configurations manually for every team could become a nightmare.
Instead of sending logs directly to your central LAW, you could route them through Event Hubs. This way, you can use different consumer groups to feed multiple LA workspaces. It seems there's some preview functionality to support this, too! Check out the Microsoft documentation for more details on how to set it up.
We had to turn off Sentinel in our central LAW due to costs, and now we miss some essential connectors for tools like Office and conditional access logs that were useful for our dashboards. It really feels like a loss just because of billing issues from Microsoft.
I'm kind of puzzled about why Sentinel needs its own LAW when the same logs are already being collected elsewhere. Seems redundant?
Azure Defender can also set up their own LAW if needed, which might help with the separation of concerns.
What's your data ingestion rate? If it’s not high enough to qualify for discounts by merging workflows, then the decision comes down to organizational preference. Also, be cautious—make sure whoever owns those logs is on the hook for the costs to avoid huge bill surprises later on!
We keep a centralized LAW for security data and use policies to dictate what's valuable enough to send to Sentinel. We also route to Event Hubs where it makes sense, which gives developers the flexibility they need without compromising on security data collection.
True, but many services like AKS and SQL can be a pain since they don’t support that setup.
Exactly—I've seen too many setups where no one manages the costs, and then it spirals out of control with unused logs stacking them up. It's crucial to assign responsibility.