Forum Discussion
Solved
Log server to foward logs to Sentinel
Hi,
I'm starting our journey over Microsoft Sentinel and until now I really like it, so I would like to extend it's usage internally and even maybe reach the point where we would leave our actual SIEM and replace it totally with Sentinel.
But I've got a problem, the Log ingestion is very expensive compared to our actual SIEM solution, so I know I won't have budget to ingest everything that I would like. Also, in some cases, I don't even have an idea of the log production of some sources, as we never ingested them anywhere.
So what I'm thinking is to build an internal Log Server (open source or a low cost solution) to ingest and parse some Logs, understand their value and then if it's the case, ingest them to Sentinel.
Anyone has such kind of scenario that can recommend a solution for Log Server before Sentinel?
Thanks
- For testing I'd probably use ADX https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool#azure-data-explorer (so I can use KQL). But I'd often have (and prefer) a test Sentinel workspace to try the ingestion, but stop the ingestion after a short amount of time to limit the cost and allow the use of https://learn.microsoft.com/en-us/azure/sentinel/data-transformation.
- Microsoft offers a 31dsy Free trials for Microsoft Sentinel
https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/#:~:text=per%20SID%20hour-,Free%20trial,-Try%20Microsoft%20Sentinel
and also offers a training lab
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-training-lab/ba-p/2953403
This is a good place to start at no extra charge once have a subscription. - For testing I'd probably use ADX https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool#azure-data-explorer (so I can use KQL). But I'd often have (and prefer) a test Sentinel workspace to try the ingestion, but stop the ingestion after a short amount of time to limit the cost and allow the use of https://learn.microsoft.com/en-us/azure/sentinel/data-transformation.
- Thanks, I'll take a look into it.
