Forum Discussion
MDE logs backup suggestions
Hey abon13,
I think what you need to consider, is how you would you like to access the logs after 30 days.
- You can indeed incorporate a Sentinel instance as mentioned by jbmartin6 and there you can take advantage of the free 90 days retention and add an archiving plan for as long as you want. This is probably the easiest way to deploy and the most flexible in terms of what you would like in hot and archived storage. It has the highest cost between all solutions.
- You can leverage Azure Event Hub to stream your data to ADX. While this would require some extra effort to deploy, is of medium cost and is very easy to access your data and perform queries. There is a detailed guide here.
- You can also stream your data to a storage account but while this is a simple to setup solution and very cheap, it is highly complex query the data stored. You can review the guide here.
I hope the following information helps as well (as per my experience):
Sentinel/Log Analytics Workspace
Cost: High
Setup: Very easy
Data access: Easy (only because of the Searches in case you choose accessing archived data)
Event Hub to ADX
Cost: Medium
Setup: Medium
Data access: Very easy
Event Hub to Storage Account
Cost: Low
Setup: Easy
Data access: Very hard
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hey abon13,
I think what you need to consider, is how you would you like to access the logs after 30 days.
- You can indeed incorporate a Sentinel instance as mentioned by jbmartin6 and there you can take advantage of the free 90 days retention and add an archiving plan for as long as you want. This is probably the easiest way to deploy and the most flexible in terms of what you would like in hot and archived storage. It has the highest cost between all solutions.
- You can leverage Azure Event Hub to stream your data to ADX. While this would require some extra effort to deploy, is of medium cost and is very easy to access your data and perform queries. There is a detailed guide here.
- You can also stream your data to a storage account but while this is a simple to setup solution and very cheap, it is highly complex query the data stored. You can review the guide here.
I hope the following information helps as well (as per my experience):
Sentinel/Log Analytics Workspace
Cost: High
Setup: Very easy
Data access: Easy (only because of the Searches in case you choose accessing archived data)
Event Hub to ADX
Cost: Medium
Setup: Medium
Data access: Very easy
Event Hub to Storage Account
Cost: Low
Setup: Easy
Data access: Very hard
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hi abon13,
well, it seems that there is a functionality to ingest logs from Event Hub directly to Log Analytics Workspace:
This is a very interesting development, although it is still in preview and I am not so sure about the parsing of logs through Event Hub to LAW.
If this is your goal, you could give this a try! 😉
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- This question is interesting since it doesn't make sense. 🙂 Sentinel sits on top of a Log Analytics space (Sentinel analyzes the logs as they come in, then stores them in Log Analytics), so ingesting logs from an instance of Log Analytics into Sentinel just means moving them from one LAW into another. Not useful though, if you have logs you have stored in Log Analytics you can query them directly via the LA interface or API. In fact, I expect you could forward logs into Sentinel's LAW directly if you wanted, you just would not get any analysis by Sentinel. But you could query them from there.
