Controlling visability and ingestion of custom logs

Senior Member

Hi,

 

I've just been asked to look at the MS LA/Sentinel stack. I have a decent background in another popular log management SIEM that begins with S. Enjoying having a look through and the different capabilities.

 

One area that I'm struggling to get traction in is how to manage custom log ingestion. I can set the files to look at etc however I can't seem to work out how to do transforms/filtering etc or even how to bind these logs to different asset groups. For example many systems log to d:\logs\YYYYMMDD.txt etc, if I add that as a custom log source it applies to all machines and the same custom source. I think I must be missing something here?

 

Other area I am struggling with the permissions to custom logs. My reading suggests that it isn't possible to filter down on what custom logs are viewable is that correct? If it's not possible how are people managing different access requirements?

 

Apologies if these are simple questions however I have attempted to read up/search these forums first. Any advice is appreciate.

 

Cheers.

1 Reply

@securityninja 

Hi

You are correct, there is no way to "target" custom log settings to specific machines.  if you say collect d:\logs\YYYYMMDD.txt it will attempt on all machines.  If you have a custom application that is writing these logs, one option would be to update the application to write directly to log analytics API then you could write to different custom logs.

 

Correct on permissions too.  you can only set permissions that apply to all custom logs.