Forum Discussion
Custom Log schema design
I am retrieving sign in and activity audit data from 3 source systems with 3 different scripts, one for each system, and preparing to send them to a custom log in Azure Monitor/Log Analytics/Sentinel.
I know that once in Azure Monitor I will be writing queries and having to join or union the 3 datasets, so my questions are;
- Should I try normalise the fields, and add all three logs into a single Azure Monitor log table?
- Should I keep them in 3 separate tables and use "join" commands to bring them together?
I remember in Filebeat, it would hold many different log sources in the one index (table), and so wondering if i should do the same here in Azure?
- One other option is to mimic what MS does with the Advanced Security Information Model (ASIM) https://docs.microsoft.com/en-us/azure/sentinel/normalization
Ingest the data as is and write a KQL function that does the normalization which you then use in your queries. Saves having everyone having to memorize the different layouts of data
