Hi,
I'm starting our journey over Microsoft Sentinel and until now I really like it, so I would like to extend it's usage internally and even maybe reach the point where we would leave our actual SIEM and replace it totally with Sentinel.
But I've got a problem, the Log ingestion is very expensive compared to our actual SIEM solution, so I know I won't have budget to ingest everything that I would like. Also, in some cases, I don't even have an idea of the log production of some sources, as we never ingested them anywhere.
So what I'm thinking is to build an internal Log Server (open source or a low cost solution) to ingest and parse some Logs, understand their value and then if it's the case, ingest them to Sentinel.
Anyone has such kind of scenario that can recommend a solution for Log Server before Sentinel?
Thanks
