SOLVED

Limit to one log analytics workspace?

%3CLINGO-SUB%20id%3D%22lingo-sub-1199206%22%20slang%3D%22en-US%22%3ELimit%20to%20one%20log%20analytics%20workspace%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1199206%22%20slang%3D%22en-US%22%3E%3CP%3EI%20created%20a%20log%20analytics%20workspace%20and%20then%20configured%20all%20resources%20in%20the%20subscription%20to%20forward%20metrics%2Fevents%20to%20that%20workspace.%20I%20just%20noticed%20that%20someone%20created%20a%20new%20log%20analytics%20workspace%20and%20had%20some%20resources%20reporting%20to%20the%20workspace.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EShould%20I%20look%20to%20prevent%20the%20creation%20of%20other%20log%20analytics%20workspaces%20to%20ensure%20that%20the%20log%20analytics%20workspace%20I%20created%20receives%20all%20metrics%2Fevents%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBeing%20part%20of%20security%20I%20want%20to%20ensure%20I%20aggregate%20all%20metrics%2Fevents%20into%20one%20workspace%20as%20we%20are%20leveraging%20Sentinel%20as%20well.%20Is%20there%20ever%20a%20case%20for%20more%20than%20one%20log%20analytics%20workspace%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThx%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1199206%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1199563%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20to%20one%20log%20analytics%20workspace%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1199563%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173036%22%20target%3D%22_blank%22%3E%40Jeff%20Walzer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESome%20of%20the%20cases%20are%20discussed%20here.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdesign-logs-deployment%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdesign-logs-deployment%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EIf%20your%20company%20strategy%20is%20to%20centralize%20then%20you%20may%20need%20to%20audit%20or%20block%20other%20workspaces%2C%20or%20understand%20why%20data%20has%20to%20be%20separated%2C%20maybe%20is%20low%20value%20data%20that%20Sentinel%20wouldn't%20be%20interested%20in%2C%20or%20allowed%20to%20see%3F%20Someone%20seems%20to%20have%20the%20ability%20to%20create%20them%20outside%20of%20security%20is%20that%20also%20an%20issue%20or%20is%20training%20needed%3F%26nbsp%3B%20However%20there%20could%20be%20a%20legitimate%20business%20need%20for%20extra%20workspaces%3F%26nbsp%3B%20The%20guidance%20is%20to%20have%20as%20few%20workspaces%20as%20possible%2C%20start%20at%20one%20'central'%20workspace%20and%20only%20add%20by%20exception%2C%20with%20an%20agreed%20business%20need.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou'd%20often%20need%20a%20workspace%20for%20evaluation%20and%20testing%2C%20maybe%20that's%20what%20has%20been%20created%3F%26nbsp%3B%20Also%20see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbest-practices-for-designing-an-azure-sentinel-or-azure-security%2Fba-p%2F832574%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fbest-practices-for-designing-an-azure-sentinel-or-azure-security%2Fba-p%2F832574%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1200464%22%20slang%3D%22en-US%22%3ERe%3A%20Limit%20to%20one%20log%20analytics%20workspace%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1200464%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%3E%40Clive%20Watson%3C%2FA%3E-%20thx%20for%20the%20reply%20and%20information%20as%20it's%20greatly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJeff%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

I created a log analytics workspace and then configured all resources in the subscription to forward metrics/events to that workspace. I just noticed that someone created a new log analytics workspace and had some resources reporting to the workspace.

 

Should I look to prevent the creation of other log analytics workspaces to ensure that the log analytics workspace I created receives all metrics/events?

 

Being part of security I want to ensure I aggregate all metrics/events into one workspace as we are leveraging Sentinel as well. Is there ever a case for more than one log analytics workspace?

 

Thx

2 Replies
Highlighted
Best Response confirmed by Jeff Walzer (Contributor)
Solution

@Jeff Walzer 

 

Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment

If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed?  However there could be a legitimate business need for extra workspaces?  The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need. 

You'd often need a workspace for evaluation and testing, maybe that's what has been created?  Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel...

 

Thanks

Highlighted

@Clive Watson- thx for the reply and information as it's greatly appreciated.

 

Jeff