Forum Discussion
Separating Logs for RBAC
Microsoft
Ofer_Shezaf thanks for this, I'd rather not deploy LogStash if I don't have to, the only reason for separate table would be if I couldn't split the logs in any other way, but it looks like resource RBAC might work for us.
Based on what I've read from you link, I'd need a separate collector VM for each access boundary. For example if both the firewall and web proxy logs will only be accessed by the Network team then I'll send them via the same Collector VM.
Is there a way to set the resource ID on an on-prem collector without using Azure Arc? I'd like to get up and running with this and while Arc maybe a long term solution for us if I can test without it that would be great.
Simon
- Ofer_Shezaf
SimonR : You got things right. No options I am aware of not listed in the blog post.
Ofer_Shezaf Thanks for this, I'm just sorting out Arc now. My plan currently is:
1) Install Arc on Collector1 and grant the NetOps group Log Analytics Reader access to the resource in Azure.
2) Push logs via syslog to Collector1
3) SecOps will be able to query logs via Sentinel along with everything else
4) NetOps will be able to query logs sent by Collector1 using Azure Monitor, but won't see anything else. For example if we created Collector2 for a different team.
With regards to the access would you grant the access directly on the resource or do you think it's better to have a separate resource group for the team so they can add Workbooks they want to create?
- Ofer_Shezaf
While not immidiately of importance, creating a resource group adds alot of flexbilty. For example if you needed a second connector VM.
~ Ofer