Forum Discussion
Solved
MDE logs backup suggestions
Hi All,
Given MDE stores logs for 30 days only, I am in search of ideas on where to store these logs beyond 30 days. We do not want to export the logs to Sentinel due to cost factor. Thinking of storing the logs in a Cosmos DB, however would like to know what other options do I have here.
Thank you !!
Hey abon13,
I think what you need to consider, is how you would you like to access the logs after 30 days.
- You can indeed incorporate a Sentinel instance as mentioned by jbmartin6 and there you can take advantage of the free 90 days retention and add an archiving plan for as long as you want. This is probably the easiest way to deploy and the most flexible in terms of what you would like in hot and archived storage. It has the highest cost between all solutions.
- You can leverage Azure Event Hub to stream your data to ADX. While this would require some extra effort to deploy, is of medium cost and is very easy to access your data and perform queries. There is a detailed guide here.
- You can also stream your data to a storage account but while this is a simple to setup solution and very cheap, it is highly complex query the data stored. You can review the guide here.
I hope the following information helps as well (as per my experience):
Sentinel/Log Analytics Workspace
Cost: High
Setup: Very easy
Data access: Easy (only because of the Searches in case you choose accessing archived data)
Event Hub to ADX
Cost: Medium
Setup: Medium
Data access: Very easy
Event Hub to Storage Account
Cost: Low
Setup: Easy
Data access: Very hard
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hey abon13,
I think what you need to consider, is how you would you like to access the logs after 30 days.
- You can indeed incorporate a Sentinel instance as mentioned by jbmartin6 and there you can take advantage of the free 90 days retention and add an archiving plan for as long as you want. This is probably the easiest way to deploy and the most flexible in terms of what you would like in hot and archived storage. It has the highest cost between all solutions.
- You can leverage Azure Event Hub to stream your data to ADX. While this would require some extra effort to deploy, is of medium cost and is very easy to access your data and perform queries. There is a detailed guide here.
- You can also stream your data to a storage account but while this is a simple to setup solution and very cheap, it is highly complex query the data stored. You can review the guide here.
I hope the following information helps as well (as per my experience):
Sentinel/Log Analytics Workspace
Cost: High
Setup: Very easy
Data access: Easy (only because of the Searches in case you choose accessing archived data)
Event Hub to ADX
Cost: Medium
Setup: Medium
Data access: Very easy
Event Hub to Storage Account
Cost: Low
Setup: Easy
Data access: Very hard
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Hi abon13,
well, it seems that there is a functionality to ingest logs from Event Hub directly to Log Analytics Workspace:
This is a very interesting development, although it is still in preview and I am not so sure about the parsing of logs through Event Hub to LAW.
If this is your goal, you could give this a try! 😉
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- You can increase retention to 180 days in MDE. You don't have to export to Sentinel, you can send the logs to log analytics space (which is part of Sentinel but without ingestion costs since it just stores them). Or even just send them via an event hub to plain Azure storage. Though presumably you want something you can query. In that case your options are virtually unlimited, you just send the MDE events to an event hub, then consume them with one of many tools and forward them to your storage.
