Forum Discussion

Magnus Tjerneld's avatar
Magnus Tjerneld
Copper Contributor
May 04, 2020

Limit what data in Log Analytics to be passed on to Sentinel?

We have been using Sentinel in conjunction with Azure Log Analytics for quite some time to ingest selected security logs (AD, DNS, Windows Security etc.) from VM-agents in our server environment. Las...
Magnus Tjerneld's avatar
Magnus Tjerneld
Copper Contributor
May 05, 2020

GaryBushey Yes; only the manual counters that I had set up before I enabled "Azure monitor for VMs" are visible there. AMFVM seems to set up it's own data collection that you don't seem to be able to edit.

  • Magnus Tjerneld's avatar
    Magnus Tjerneld
    Copper Contributor
    May 05, 2020

    Thanks CliveWatson. I read this before and have now read it again; and I realize that I can delete my old perfmon counters. However, I do not find any information regarding:

    - Can I limit the "resolution" of data performance data sent to Log Analytics after upgrading to Azure Monitor for VMs? In the old solution, I could set intervals in seconds.

    - Can I choose not to collect data for a specific namespace? For us, Disk-metrics make up 90% of logs ingested and causes a lot of extra costs in Sentinel. If possible, I'd opt out.

     

    And my wish would be to be able to exclude all performance counters from ingestion into Sentinel. This only results in added cost and no added value. 

    • williamboyd's avatar
      williamboyd
      Copper Contributor
      Sep 24, 2020

      Magnus Tjerneld Were you able to find a solution to this? Filtering out which data that is ingested by sentinel?

      • Magnus Tjerneld's avatar
        Magnus Tjerneld
        Copper Contributor
        Sep 24, 2020
        williamboyd We resorted to using separate workspaces for VM/Performance logs (not piped to Sentinel) and Security/Signin-logs (piped to Sentinel).

Resources