SOLVED

Log Analytics Workspace with Multiple subscription

Copper Contributor

Hi Everyone,

 

Good Day! I have couple doubts in Log analytics could you please help me to understand!

 

1. to my understanding we can created a workspace with only one subscription. Which means the log analytics will monitor only the resource are part of that subscriptions. Am i right?

2. if i have multiple workspaces for multiple subscriptions then is that possible to bring all of them under one Dashboard?

 

Thanks in advance

18 Replies
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

A single Log Analytics workspace can monitor resources in all of your subscriptions as long as they are under the same Tenant. For example if you have Azure SQL database in Subscription A and Log Analytics Workspace in Subscription B you can send the logs and metrics from that Azure SQL database to the Log Analytics workspace.

Even if you opt in to having multiple workspaces Log Analytics supports querying multiple workspaces at the same time. Of course there is a limit. You can query maximum of 100 workspaces together.

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query

 

The queries that you create in Logs view can be pinned to Azure dashboards.

 

Thank you Stan. it was really helpful and will start exploring things accordingly.

 

Just Curious, there are so many solutions available at Log analytics what my doubt here is, all these solutions are free with Log analytics plan or it will cost separate. if it is a bundle with a Log analytics plan then which plan will have the most coverage.

 

Thanks in advance.

I will probably not able to cover everything around pricing here but I will try to give a little bit explanation. Log Analytics is part of Azure Monitor. With both Azure Monitor and Log Analytics you pay for what you use. Check the official pricing pages but for log analytics specifically you will get charged per ingested GB. Keep in mind that there are some other services in Azure like Azure Security Center that use Log Analytics as platform for storing logs. When those services use it as platform you may have different pricing. For example ASC pricing is per node and for each node you get certain amount of data you can store for free (basically you pay for it via the ASC node price) but if you exceed that daily limit you will have to pay for the amount you have exceeded via the standard Log Analytics pricing. Azure Automation also have a few services where you get some data for free but for other you have to pay per GB. All this information is available on Azure Pricing page.

 

I hope this helps.

Hi Stan

 

I gone through  the link you provided for single workspace with multiple subscription. But the article says how to cross query multiple workspace for data, but do not see how to created single workspace for multiple subscription. Could you please suggest.

 

Thanks in advance. :)

Hi @Stanislav Zhelyazkov,

 

What is the Log Analytics story for CSPs who have multiple tenants to monitor on and report data to multiple customers?

 

Thanks.

To my opinion there is no difference if you are one customer or you are partner that manages 100 customers. The structure is the same - resources are created per tenant within the tenant's subscriptions. You can use various tools and methods to manage them at scale like CI/CD, single ITSM tool, etc. I would suggest to open new thread for each question that you have. That will be easier for others to follow and search.

There is no special way to create a workspace for multiple subscriptions. The workspace is a workspace it is up to you to define the strategy how to use it. It is a matter of you configure data to be send to LA workspace:

- Diagnostic logs support sending data from any services in any subscriptions to LA workspace as long as it is in the same tenant

- Azure Activity logs from every subscriptions can be send to LA workspace as long as it is in the same tenant

- LA agent extension can be installed on any vm in any subscriptions to send data to LA workspace as long as it is in the same tenant.

 

 

Hi Stan

 

For example, i have 2 workspaces for my 2 subscriptions, i have enabled SQL Analytics solution on subscription A where i have my workspace A. and i am trying to get DTU percentage details from wokspace B which is in Subscription B by using Cross query but the LA does not give any result since it does not have the solution. Could you please help me to understand this behavior. 

As I have said it is better to address each of these issues in separate threads as these questions are different from the original. When people search for answers will be impossible to find answers for threads that are for different thing. I will still answer though. You can run queries in Logs blade across multiple workspaces. There is no problem in that.  The views that come from SQL Analytics solution though will only show data from the workspace where the solution was deployed. The solutions built-in dashboards itself does not support providing multiple workspaces. You have a couple of options:

  • Use a single workspace to send all your data and deploy the solutions you use to that workspace only
  • If you want to visualize data across multiple workspaces you will not be able to do it with the built-in views for solutions but you can create your own dashboards via pinned queries to Azure Dashboards or Log Analytics Designer views.

@Stanislav Zhelyazkov  when you say that a single Log Analytics Workspace can monitor ALL of your subscriptions, is there a limit to the number of subscriptions? Lets say I need to monitor 10,000 subs in a single workspace. Whether or not I should do that aside, could it be done?

@mattmackay Yes, there is no limit on the data you can send. You might have trouble creating that many subscriptions though.

Hi @S_I_Kaleel,

I have done this for my 5 subscriptions.

Now let me share my experience. First Select the subscription under that you want to create you Centralized Workspace. 

But before doing this make sure you have all subscriptions created under same tenant.

If not, then there is no way to monitor Azure Resources. 

 

  1. Create Azure Log Analytics
  2. Connect All the VMs through portal, SCCM, PowerShell, Ansible or any other preferable way, up to you.
  3. Now Connect all the Azure resources to workspace by going to Azure Resources page.
  4. Create Action group in same RG in which you have created Azure Workspace.
  5. Write KQL queries for alerts.

All Done!

 

Now there is one demerit here you cannot monitor cross subscription storage account. No matter it is under same AD tenant or not.

 

Coming to pricing, New cost version of ALA generally charge on Data insertion.

So the lesser you insert the lesser you have to pay.

Solution is maximum free but if you are using any solution then check if it charge for each device/resource. If so then create a free ALA and use this to leverage the same, since we can collect free data but here you have to make sure data is not more than 5 GiBs.

 

Hope this helps :)

@GouravIN And if we are using Azure Lighthouse? I thought that was the goal for Azure lighthouse...

@Lucas De Carli To be very frank here, I have not tested this Azure Light yet.

So not sure about this feature.....

@Lucas De Carli Azure Lighthouse does not change the architecture of how to manage your customers. You still create workspace per customer in their own subscription. Lighthouse allows just easier management at scale of multiple tenants both from UI perspective and authentication for automation.

Hi, Can we pull out all the log analytics workspace details from all of the subscription ?any way to do so ?
@abhilearning9876 Please see my answer in your other thread

@GouravIN 

We have 13 Subscription & all have one Tenants.
Now I have created Log Analytics work space in One subscription A. On the Subscription B I'm trying to assign App-insights to Log Analytics which i created on Subscription A but it is now allowing. It is only showing log analytics on Subscription B but not Subscription A.

Can some one share how to createCentralized Workspace?

1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

Hi,

A single Log Analytics workspace can monitor resources in all of your subscriptions as long as they are under the same Tenant. For example if you have Azure SQL database in Subscription A and Log Analytics Workspace in Subscription B you can send the logs and metrics from that Azure SQL database to the Log Analytics workspace.

Even if you opt in to having multiple workspaces Log Analytics supports querying multiple workspaces at the same time. Of course there is a limit. You can query maximum of 100 workspaces together.

https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/cross-workspace-query

 

The queries that you create in Logs view can be pinned to Azure dashboards.

 

View solution in original post