Feb 27 2020
- last edited on
Apr 08 2022
I created a log analytics workspace and then configured all resources in the subscription to forward metrics/events to that workspace. I just noticed that someone created a new log analytics workspace and had some resources reporting to the workspace.
Should I look to prevent the creation of other log analytics workspaces to ensure that the log analytics workspace I created receives all metrics/events?
Being part of security I want to ensure I aggregate all metrics/events into one workspace as we are leveraging Sentinel as well. Is there ever a case for more than one log analytics workspace?
Feb 27 2020 02:44 PMSolution
Some of the cases are discussed here. https://docs.microsoft.com/en-us/azure/azure-monitor/platform/design-logs-deployment
If your company strategy is to centralize then you may need to audit or block other workspaces, or understand why data has to be separated, maybe is low value data that Sentinel wouldn't be interested in, or allowed to see? Someone seems to have the ability to create them outside of security is that also an issue or is training needed? However there could be a legitimate business need for extra workspaces? The guidance is to have as few workspaces as possible, start at one 'central' workspace and only add by exception, with an agreed business need.
You'd often need a workspace for evaluation and testing, maybe that's what has been created? Also see https://techcommunity.microsoft.com/t5/azure-sentinel/best-practices-for-designing-an-azure-sentinel...