SOLVED

Multi Tenant Centralize Log Analytics

Copper Contributor

Hi,

 

Has anyone tried centralizing events\metric\logs from other tenants, into one Log Analytics workspace? Or using other Azure Services like Cosmos, and creating reports or alerts from here?

Having one centralized "management repository" for security events and performance counters++ from VM's will be pretty powerful.

I've tried out the following guide:  https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect-tenants

but as a CSP responsible for IaaS, PaaS to SaaS for our customer there must be an easier way. 

6 Replies

Hi@AzureSensei 

My experience shows that management at scale should be done by tenant. This means that resources are created per tenant otherwise you will have problems in billing your customers correctly, access management, setup, etc.. Azure Lighthouse can you bring data together by projecting customer subscriptions under your tenant. That way you can use built-in Azure Monitor features where you can query information from multiple workspace.

thanks @Stanislav Zhelyazkov,

 

Regarding billing, access management and things like data retention will be managed and contained within customer's subscriptions with pre-configured policies or other rulesets when "built".

And depending on which way data is exported from the tenant will depict the extra cost.

- Outbound from the customer tenant will be an extra cost for the customer.

- Initiated data collection from our tenant will be an extra cost for us.

Referring to the where the arrows are pointing in the link I provided.

 

Maybe I'm over-complicating things. Is it possible for the customer's Microsoft Monitoring Agent to connect to our "management" tenant?

best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

@AzureSensei For me this is just not the right way and I think it is a road that is filled with many obstacles just because when services are designed for cross-tenant setup. Of course you are free to follow your on path. I cannot tell if every single integration in Azure will work in such scenario ( I am sure it will not work in some). For sure you can install Log Analytics agent on a VM located in one tenant and workspace in another tenant. That is possible because the agent connects to the workspace by ID and key so it works even for on-premises setups or in other clouds.

It is important to consider in such scenario overall management of these resources like the workspace. You can set retention per table but not per data. So if one of your customers wants 2 years but all others want default 30 days? What happens if particular customer due to compliance reasons does not want the data to be contained in the same resource? What happens if a customer leaves you as CSP and they want their data to be given to them? What happens if customer asks for certain data to be deleted as there is some performance penalty when data is deleted that will affect all your customers? This is just a small part of the example scenarios that you might meet if you take such decision. So it is good to sit down and consider all the scenarios that might apply to your existing or future customers and take decision based on if you are ready with solutions for those or not.

@Stanislav Zhelyazkov you got some valid points there mister. I'll do as advised, and have a think about it.. Again. :smile:

@AzureSensei Our organization doesn't do this, but we have taken it down a level--we have a single Log Analytics workspace for multiple subscriptions, and so far, it has worked out well. 

@AzureSensei 

Hi, Do you have a solution for it now? I faced a similar issue to you. I want to collect logs for Host Pool to another Tenant's Event Hub by setting diagnostics setting in Azure Monitor.

Thanks.

1 best response

Accepted Solutions
best response confirmed by Stanislav Zhelyazkov (MVP)
Solution

@AzureSensei For me this is just not the right way and I think it is a road that is filled with many obstacles just because when services are designed for cross-tenant setup. Of course you are free to follow your on path. I cannot tell if every single integration in Azure will work in such scenario ( I am sure it will not work in some). For sure you can install Log Analytics agent on a VM located in one tenant and workspace in another tenant. That is possible because the agent connects to the workspace by ID and key so it works even for on-premises setups or in other clouds.

It is important to consider in such scenario overall management of these resources like the workspace. You can set retention per table but not per data. So if one of your customers wants 2 years but all others want default 30 days? What happens if particular customer due to compliance reasons does not want the data to be contained in the same resource? What happens if a customer leaves you as CSP and they want their data to be given to them? What happens if customer asks for certain data to be deleted as there is some performance penalty when data is deleted that will affect all your customers? This is just a small part of the example scenarios that you might meet if you take such decision. So it is good to sit down and consider all the scenarios that might apply to your existing or future customers and take decision based on if you are ready with solutions for those or not.

View solution in original post