Forum Discussion
Separating Logs for RBAC
MicrosoftSimonR : You got things right. No options I am aware of not listed in the blog post.
Ofer_Shezaf Thanks for this, I'm just sorting out Arc now. My plan currently is:
1) Install Arc on Collector1 and grant the NetOps group Log Analytics Reader access to the resource in Azure.
2) Push logs via syslog to Collector1
3) SecOps will be able to query logs via Sentinel along with everything else
4) NetOps will be able to query logs sent by Collector1 using Azure Monitor, but won't see anything else. For example if we created Collector2 for a different team.
With regards to the access would you grant the access directly on the resource or do you think it's better to have a separate resource group for the team so they can add Workbooks they want to create?
- Ofer_Shezaf
While not immidiately of importance, creating a resource group adds alot of flexbilty. For example if you needed a second connector VM.
~ Ofer
Ofer_Shezaf thanks for this, I've decided we should definitely use Resource Groups otherwise I think we are going to end up with a mess to sort out later.
I've created a resource group for this and added the Collector VM to it and granted my test user Log Analytics Reader and Workbook Contributor to the groups.
Now I have what I hope is a really simple issue to resolve. If I use my test user and go to Azure Arc I can see and search logs for that device. However if I go to Monitor with the same account it prompts me to select a scope, but I can't see anything under the subscription. (I would have thought I would see the resource group and the collector VM under that). Am I just missing a permissions somewhere or have I misunderstood how this will all work?
Thanks in advance.
- SoniaCuff
SimonR Do you also have the standard Log Analytics agent installed on the on prem VM, or just Azure Arc for servers?
"This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent. The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like Azure Security Center."
https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview#supported-scenarios
