Forum Discussion
Send Filtered Firewall logs directly to Azure Data Explorer rather than Sentinel?
Hi there, We have a requirement where a customer has Palo Alto firewall which is integrated to Sentinel. The maximum ingestion is coming from "drop" and "end" events/logs. The client want to send th...
Hi Clive, I looked at the "Add ingestion-time transformation to Azure Monitor Logs using the Azure portal (preview)" solution. It allows to drop the irrelevant logs prior ingestion. However in my scenario we dont want to remove the logs , rather we want to ingestion partial logs and remaining ones to be redirected directly to Azure Data explorer for long term storage. Any idea how we can achieve this?
As far as I know, you'd have to drop the unnecessary column using transformation into Log Analytics. Then you'd have to drop the others before taking the other stream into ADX. You cant send column A to Log Analytics and Column B to ADX.
Are Basic logs an alternative (if you are happy with the restrictions)? https://docs.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
Are Basic logs an alternative (if you are happy with the restrictions)? https://docs.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases