Hey everyone, I'm in the midst of setting up a new cloud-based SIEM and need to configure an event hub for it. We're currently balancing the load between our existing SIEM and this new system because we need to segregate certain logging. I already have an Event Hub Namespace with one Event Hub that streams data to my current SIEM. I'm wondering what the best architectural practice is for getting logs to the new SIEM. Should I create a second Event Hub in the existing namespace or look into setting up a completely new Event Hub Namespace?
2 Answers
You don't need to stress too much about it. Capacity is managed at the namespace level. Unless you're hitting quota limits for your current event hub SKU, just add another Event Hub in the same namespace. It's generally simpler and keeps things organized. Check out the official documentation for more on that!
I tried adding another event hub but ran into some trouble with diagnostics logs. Seems like I'm unable to duplicate them if they’re already being sent to the first hub. Maybe reusing the existing hub for the new SIEM could be a solution, but I'm not sure what would happen with additional data.
Have you thought about using consumer groups for each SIEM? It might be a good way to manage the logs while still using your existing Event Hub. Depending on your logging segmentation needs, that could be a clean solution.
That’s actually a route I was considering! But, honestly, I’m realizing I don’t know Event Hubs as well as I should. Any extra insights you have about consumer groups would be super helpful!
Totally agree! We're under our namespace limits too, and adding another hub was straightforward for us. Just keep an eye on how management might get tricky depending on how you want to scale in the future.