Lately I’ve had a few conversations regarding Log Analytics workspace design. More specifically, questions like:
Figuring out how many workspaces, you need is determined by one or more of the following requirements:
These items are really important to figure out since Log Analytics workspace provides by design:
IT shops these days are setup either in a centralized, decentralized, or an in-between hybrid of both structures. Therefore, the following workspace deployment models have been commonly used to map to one of these organizational structures:
So, I really think that a central Workspace is a more reasonable solution for most organizations that have a need for querying all resources. If you don’t or seldom require cross-workspace queries, then a decentralized approach may be appropriate.
When deploying a centralized model. You need to manage access to the logs and to administer the workspaces, including how to grant access to:
You can view the access control mode configured on a workspace from the Azure portal or with Azure
The 2 Access options are:
Workspace-context: with this access, you can view all logs in the workspace you have permission to. Queries in this mode are scoped to all data in all tables in the workspace. And are queried in the Log Analytics workspace itself. By accessing the workspace, selecting Logs from the left side menu and writing your query in the editor.
Resource-context: this model is aimed at Application teams. Administrators of Azure resources being monitored. When you access the workspace for a particular resource, resource group, or subscription, such as when you select Logs from a resource menu in the Azure portal, you can view logs for only resources in all tables that you have access to.
Queries in this mode are scoped to only data associated with that resource. This mode also enables granular Azure RBAC.
For more information about designing your Azure Monitor Logs deployment there is more information in the following documentation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.