Suppose we have one centralized management subscription. In that centralized subscription we have created log analytic workspaces in different regions. These log analytic workspaces are enabled with sentinel. due to compliance reason, we would like to keep the log data within the region,
how we can automate the auto provisioning in a way, that each VM's syslog or event logs should forwarded into correct log analytic workspace in centralized subscription.
Unfortunately, the auto-provisioning is a subscription wide configuration, that means that all VMs in the sub will send data to the same ALA workspace (which can be in a different subscription). That said, if you group your regional resources under separate subs, you can use auto provisioning to accomplish your goal.
Alternatively, you may consider using manual agent provisioning and target agents to different ALA workspaces based on certain criteria, e.g. location, tags, etc.