I'm curious about the best practice for setting up Log Analytics workspaces. Is it better to go with one centralized workspace for all logs, or should I create multiple individual workspaces? Specifically, should device logs be stored in the same workspace as user logs?
1 Answer
From what I’ve read in Microsoft’s documentation, starting with a single workspace is often recommended. It simplifies management, especially for data retention and ownership. Personally, I’m using one workspace for all my Azure diagnostic logs and Entra logs, and it’s manageable for my needs—retention is handled on a table basis, which works for me.
Absolutely! Here's a great resource you might find helpful: [Design a Log Analytics workspace architecture - Azure Monitor | Microsoft Learn](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design)!