Blog Post

Azure SQL Blog
2 MIN READ

Step-by-Step Guide: Route Azure SQL Audit Logs to Multiple Log Analytics Workspaces

sravani-saluru's avatar
sravani-saluru
Icon for Microsoft rankMicrosoft
Nov 28, 2025

Scenario:
Many organizations need to route audit logs from Azure SQL Database to more than one Log Analytics workspace. For example, your security team may use Microsoft Sentinel in one workspace, while your application team analyzes logs in another. Azure now makes this possible—here’s how to set it up, and what to watch out for.

Why Send Audit Logs to Multiple Workspaces?

  • Separation of Duties: Security and application teams can access the logs they need, independently.
  • Integration with Different Tools: Sentinel may use one workspace for SIEM, while app teams use another for analytics.
  • Compliance and Regional Needs: Some organizations must store logs in different regions or workspaces for regulatory reasons.

Step-by-Step Guide

  1. Enable Auditing to Log Analytics Workspace
  • Go to your Azure SQL Server in the Azure Portal.
  • Under Security, select Auditing.
  • Set the audit destination to your primary Log Analytics workspace, Click Save.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tip: Enabling auditing here automatically creates a diagnostic setting for the selected workspace.

  1. Add Diagnostic Settings for Additional Workspaces
  • In azure portal search for Diagnostic settings.
  • Search for your subscription and master database of SQL Server to create diagnostics setting at server level
  • Click + Add diagnostic setting.
  • Name your setting (e.g., “AuditToAppWorkspace”).
  • Under Log, select audit, select SQLSecurityAuditEvents (uncheck “DevOpsAudit” if not needed).
  • Choose an additional Log Analytics workspace as the destination.
  • Click Save.

 create new setting 

 

Note: You can repeat this step to send audit logs to as many workspaces as needed.

Example Use Case

A customer uses:

  • Workspace A for Microsoft Sentinel (security monitoring)
  • Workspace B for application analytics

By configuring multiple diagnostic settings, both teams receive the audit data they need—no manual exports required.

Summary

Configuring multiple diagnostic settings allows you to send Azure SQL Database audit logs to several Log Analytics workspaces. This is essential for organizations with different teams or compliance needs. Remember:

  • Enable auditing first
  • Add diagnostic settings for each workspace
  • Monitor for cost and avoid duplicate logs

References:

 

Published Nov 28, 2025
Version 1.0
azure sql
azure sql database
azure sql security
No CommentsBe the first to comment