ASC auto provisioning

%3CLINGO-SUB%20id%3D%22lingo-sub-2178893%22%20slang%3D%22en-US%22%3EASC%20auto%20provisioning%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2178893%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESuppose%20we%20have%20one%26nbsp%3B%3CSPAN%3Ecentralized%20management%20subscription.%20In%20that%20centralized%20subscription%20we%20have%20created%20log%20analytic%20workspaces%20in%20different%20regions.%26nbsp%3B%20These%20log%20analytic%20workspaces%20are%20enabled%20with%20sentinel.%20due%20to%20compliance%26nbsp%3Breason%2C%20we%20would%20like%20to%20keep%20the%20log%20data%20within%20the%20region%2C%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20we%20can%20automate%20the%20auto%20provisioning%20in%20a%20way%2C%20that%20each%20VM's%20syslog%20or%20event%20logs%20should%20forwarded%20into%20correct%20log%20analytic%20workspace%20in%26nbsp%3B%3CSPAN%3Ecentralized%20subscription.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screen%20Shot%202021-03-03%20at%202.28.18.png%22%20style%3D%22width%3A%20972px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F259960i3FE3AAE552E8FAB8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Screen%20Shot%202021-03-03%20at%202.28.18.png%22%20alt%3D%22Screen%20Shot%202021-03-03%20at%202.28.18.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EReferences%3C%2FSTRONG%3E%3A%3C%2FP%3E%3CP%3ESupport%20Regions%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ffaq-data-collection-agents%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ffaq-data-collection-agents%3C%2FA%3E%3C%2FP%3E%3CP%3EEnable%20AutoProvision%3A%26nbsp%3B%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-machines%2Fextensions%2Foms-linux%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInstall%20the%20Log%20Analytics%20agent%20for%20Linux%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2178893%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EASC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESyslogs%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hi Team,

 

Suppose we have one centralized management subscription. In that centralized subscription we have created log analytic workspaces in different regions.  These log analytic workspaces are enabled with sentinel. due to compliance reason, we would like to keep the log data within the region,

 

how we can automate the auto provisioning in a way, that each VM's syslog or event logs should forwarded into correct log analytic workspace in centralized subscription.

 

Screen Shot 2021-03-03 at 2.28.18.png

 

References:

Support Regions: https://docs.microsoft.com/en-us/azure/security-center/faq-data-collection-agents

Enable AutoProvision:  Install the Log Analytics agent for Linux

1 Reply

Hi Mahesh,

 

Unfortunately, the auto-provisioning is a subscription wide configuration, that means that all VMs in the sub will send data to the same ALA workspace (which can be in a different subscription). That said, if you group your regional resources under separate subs, you can use auto provisioning to accomplish your goal. 

Alternatively, you may consider using manual agent provisioning and target agents to different ALA workspaces based on certain criteria, e.g. location, tags, etc.