Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Log server to foward logs to Sentinel

Iron Contributor


I'm starting our journey over Microsoft Sentinel and until now I really like it, so I would like to extend it's usage internally and even maybe reach the point where we would leave our actual SIEM and replace it totally with Sentinel.

But I've got a problem, the Log ingestion is very expensive compared to our actual SIEM solution, so I know I won't have budget to ingest everything that I would like. Also, in some cases, I don't even have an idea of the log production of some sources, as we never ingested them anywhere.

So what I'm thinking is to build an internal Log Server (open source or a low cost solution) to ingest and parse some Logs, understand their value and then if it's the case, ingest them to Sentinel. 

Anyone has such kind of scenario that can recommend a solution for Log Server before Sentinel?


3 Replies
best response confirmed by dmarquesgn (Iron Contributor)
For testing I'd probably use ADX (so I can use KQL). But I'd often have (and prefer) a test Sentinel workspace to try the ingestion, but stop the ingestion after a short amount of time to limit the cost and allow the use of
Thanks, I'll take a look into it.
Microsoft offers a 31dsy Free trials for Microsoft Sentinel,Free...
and also offers a training lab

This is a good place to start at no extra charge once have a subscription.