Aug 22 2024 10:16 AM
Hello all,
I am using Elastic SIEM in my environment, but due to some pressing requirements - we would like to send the logs for long term storage. Now, I am not really sure how to send the Elastic SIEM logs to Azure Data Explorer (ADX), or to use Logic App to send the Elastic Logs to a Blob Storage.
Can you please help with both options? Is there any risk of losing data when using both options? which one is more feasible? Currently ingesting about 5 gigs of data in Elastic.
Thanks.
Aug 23 2024 03:02 PM
You can set up Elastic SIEM to export logs directly to Azure Data Explorer (ADX) for advanced querying and real-time analytics. This can be done using custom export pipelines or Logstash with an ADX output plugin. ADX is ideal for environments where you need to frequently analyze large volumes of log data. However, it may require more complex setup compared to Blob Storage.
For a simpler, cost-effective solution, use Azure Logic Apps to periodically export Elastic SIEM logs to Azure Blob Storage. This method is great for long-term storage where frequent querying isn't necessary. It’s easier to set up but lacks the advanced querying capabilities of ADX.
If you prioritize simple storage and cost, go with Azure Blob Storage. For advanced analytics, ADX is more suitable, albeit with a more complex setup. Both methods are reliable, with minimal risk of data loss if properly configured.