Forum Discussion

Magnus Tjerneld's avatar
Magnus Tjerneld
Brass Contributor
May 04, 2020
Solved

"Azure Monitor for VMs" causing huge data volumes in Sentinel

Hi! We enabled Azure Monitor for VMs for our on premise servers a few weeks ago, and we are very happy with the service so far. The problem is that we have Azure Sentinel connected to our Log Anal...
azure monitor
  • hspinto's avatar
    hspinto
    May 08, 2020

    Magnus Tjerneld 

     

    There isn't currently a way of filtering out what should not be processed by Sentinel. For this reason, you should probably consider using different workspaces for Azure Monitor for VMs and Sentinel.

     

    If you are collecting other data from your VMs besides Performance metrics that you consider useful for Sentinel (e.g., Azure Security Center Standard security events, other system events, custom logs, etc.), then you will need to implement multi-homing (i.e., the same Log Analytics agent sending different data with different purposes to different workspaces). This is however not supported yet for Linux machines. 

     

    I recommend you to read this nice article about Sentinel/ASC workspace design, as it might give some more insights: https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574

hspinto's avatar
hspinto
Icon for Microsoft rankMicrosoft
May 08, 2020

Magnus Tjerneld 

 

There isn't currently a way of filtering out what should not be processed by Sentinel. For this reason, you should probably consider using different workspaces for Azure Monitor for VMs and Sentinel.

 

If you are collecting other data from your VMs besides Performance metrics that you consider useful for Sentinel (e.g., Azure Security Center Standard security events, other system events, custom logs, etc.), then you will need to implement multi-homing (i.e., the same Log Analytics agent sending different data with different purposes to different workspaces). This is however not supported yet for Linux machines. 

 

I recommend you to read this nice article about Sentinel/ASC workspace design, as it might give some more insights: https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel-or-azure-security/ba-p/832574

Magnus Tjerneld's avatar
Magnus Tjerneld
Brass Contributor
May 08, 2020

hspintoMultihoming really seems to solve my problem!

I have environments with 50+ VMs, and since I no longer seems to be able to throttle the sampe interval of performance analytics after moving to Azure Monitor for VMs, they each generate ~100MB of perf data per day; so that's 150 gigs of data that I really don't want ingested into Sentinel at an additional $2.30/GB/month ($345).

Thank you very much for taking the time to reply. I've skimmed the article and will read it more carefully, it seems to cover a lot of the stuff I need.

My two insights:
- Log Analytics and Sentinel could really use some basic filtering options.
- Azure Monitor for VMs should have a way to lower the sample interval, like the "old" perfmon ingestion into Log Analytics does. I definitely do not need 1 min sample interval for all my VMs.

Have a great weekend!

Resources