I have a scenario at my work where i need to send logs from multiple resources on azure to single log analytics workspace for compliance purpose and then ingest the same logs to Azure Sentinel workspace for SIEM services, i however cannot enable Azure Sentinel on the first workspace, any leads or solutions please.
sending logs to multiple Azure Log analytics workspaces
1.6k Views Asked by kay At
1
There are 1 best solutions below
Related Questions in AZURE
- Why does Azure Auto-Scale scale go lower then minimum amount of instances?
- Data execution plan ended with error on DB restore
- Why does Azure CloudConfigurationManager.GetSetting return null
- Do I need other roles than Worker Role for a web site and service layer in Azure?
- Azure Web App PATH Variable Modification
- Azure Data Factory: LinkedService for AzureSql in failed state
- How To Update a Web Application In Azure and Keep The App Up the whole time
- Using Azure MobileServices library with my own LAN WebApi
- ionCube loader error on Azure IIS
- App crash (if closed) after click on notification
- How to get sql data bases instances in azure using java api
- I want to create file in azure share using python PUT requests but getting error signature not correct including headers
- Enabling OPTIONS method on Azure Cloud Service (to enable CORS)
- Redirecting subdomain to directory on Azure
- Kaltura account settings error
Related Questions in AZURE-LOG-ANALYTICS
- What is a "node" in OMS/Log Analytics?
- OMS Logical disk performance counters not existing disk instancename
- OMS Log Analytics 8MB PowerBI Query Limit workarounds?
- Azure log analytics timechart with multiple dimensions
- Azure kubernetes - writing logs on the console for production application?
- Azure DataFactory Log Analytics Access
- Valid authentication was not provided
- how to filter log messages in Azure for CLI command az monitor activity-log list
- Advice on how to handle logs with Azure App Service Linux
- Should Azure Log Analytics and Application Insights be used per app or per environment?
- Only use continuous dataset and cut off data, when there is a gap in the data in Kusto
- Azure Kusto language query through all tables
- How to filter the results based on the time in Azure Log Analytics Workspace
- Kusto Query Language: set column name of summarize by evaluated expression
- How to check the health of the Azure Log Analytics REST API
Related Questions in AZURE-SENTINEL
- How to create a playbook in Azure Sentinel that detects, alerts, and removes email forwarding rule(s) from Office 365?
- Sentinel Analytical Rule Issue: No Results for 24-hour Time Range with Cisco Firewall Events Join
- Azure Sentinel: Be notified when a playbook run fails or playbook action is disconnected
- Execute block of code in terraform if name of sentinel alert is equal to specific alert name rule
- Is a time-based trigger possible with Azure Sentinel / Logic Apps
- Using KQL and externaldata() operator to pull infromation from Azure storage account table
- Error getting results on KQL using ipv4_lookup and watchlist functions
- KQL Query Help - Correlating Data from multiple tables
- Why Microsoft Sentinel alerts doesn't appear in graph api
- Count how many elements are in an array created by make_set in kusto language
- how to select json in kusto sql
- Azure Sentinel Heartbeat Monitor
- Azure AKS in-container logs to Azure Logs/Azure Sentinel
- Azure Sentinel ThreatIntelligence duplicate data
- Azure Sentinel, Analytics Rule 14 days lookback limit
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Firstly I think your best option is to put everything into one log analytics workspace with the longer retention period but lets say that is not at all possible.
I can see 2 options here: The easiest is probably to set up 2 diagnostic settings on each resource which points to the separate log analytics work spaces.
A much harder option would be to use continuous export into Azure Storage (which could be all you need to do) or event hub and then process this back into log analytics with an Azure function.
Last comments would be that your going to be paying for the data ingest twice no matter what is done here which will at least double your costs for the lower retention time.