cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Limit to one log analytics workspace?

Jeff Walzer
Iron Contributor

‎Feb 27 2020 11:45 AM - last edited on ‎Apr 08 2022 10:18 AM by

‎Feb 27 2020 11:45 AM - last edited on ‎Apr 08 2022 10:18 AM by

Limit to one log analytics workspace?

I created a log analytics workspace and then configured all resources in the subscription to forward metrics/events to that workspace. I just noticed that someone created a new log analytics workspace and had some resources reporting to the workspace.

 

Should I look to prevent the creation of other log analytics workspaces to ensure that the log analytics workspace I created receives all metrics/events?

 

Being part of security I want to ensure I aggregate all metrics/events into one workspace as we are leveraging Sentinel as well. Is there ever a case for more than one log analytics workspace?

 

Thx

3,927 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Jeff Walzer (Iron Contributor)
CliveWatson

‎Feb 27 2020 02:44 PM

‎Feb 27 2020 02:44 PM

Solution

Re: Limit to one log analytics workspace?

@Jeff Walzer 

 

Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment

If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed?  However there could be a legitimate business need for extra workspaces?  The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need. 

You'd often need a workspace for evaluation and testing, maybe that's what has been created?  Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel...

 

Thanks

2 Likes
Reply
Jeff Walzer

‎Feb 28 2020 03:53 AM

‎Feb 28 2020 03:53 AM

Re: Limit to one log analytics workspace?

@CliveWatson- thx for the reply and information as it's greatly appreciated.

 

Jeff

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Jeff Walzer (Iron Contributor)
CliveWatson

‎Feb 27 2020 02:44 PM

‎Feb 27 2020 02:44 PM

Solution

Re: Limit to one log analytics workspace?

@Jeff Walzer 

 

Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment

If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed?  However there could be a legitimate business need for extra workspaces?  The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need. 

You'd often need a workspace for evaluation and testing, maybe that's what has been created?  Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel...

 

Thanks

View solution in original post

2 Likes
Reply