cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Log server to foward logs to Sentinel

dmarquesgn
Iron Contributor

‎Aug 23 2023 03:08 AM

‎Aug 23 2023 03:08 AM

Log server to foward logs to Sentinel

Hi,

I'm starting our journey over Microsoft Sentinel and until now I really like it, so I would like to extend it's usage internally and even maybe reach the point where we would leave our actual SIEM and replace it totally with Sentinel.

But I've got a problem, the Log ingestion is very expensive compared to our actual SIEM solution, so I know I won't have budget to ingest everything that I would like. Also, in some cases, I don't even have an idea of the log production of some sources, as we never ingested them anywhere.

So what I'm thinking is to build an internal Log Server (open source or a low cost solution) to ingest and parse some Logs, understand their value and then if it's the case, ingest them to Sentinel. 

Anyone has such kind of scenario that can recommend a solution for Log Server before Sentinel?

Thanks

Labels:
427 Views
0 Likes
3 Replies
Reply
3 Replies
best response confirmed by dmarquesgn (Iron Contributor)
Clive_Watson

‎Aug 24 2023 02:19 AM

‎Aug 24 2023 02:19 AM

Solution

Re: Log server to foward logs to Sentinel

For testing I'd probably use ADX https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool#azure-data-explorer (so I can use KQL). But I'd often have (and prefer) a test Sentinel workspace to try the ingestion, but stop the ingestion after a short amount of time to limit the cost and allow the use of https://learn.microsoft.com/en-us/azure/sentinel/data-transformation.
0 Likes
Reply
dmarquesgn

‎Aug 25 2023 07:46 AM

‎Aug 25 2023 07:46 AM

Re: Log server to foward logs to Sentinel

Thanks, I'll take a look into it.
0 Likes
Reply
samikroy

‎Aug 26 2023 12:03 AM

‎Aug 26 2023 12:03 AM

Re: Log server to foward logs to Sentinel

Microsoft offers a 31dsy Free trials for Microsoft Sentinel
https://azure.microsoft.com/en-ca/pricing/details/microsoft-sentinel/#:~:text=per%20SID%20hour-,Free...
and also offers a training lab
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/learning-with-the-microsoft-sentinel-...

This is a good place to start at no extra charge once have a subscription.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by dmarquesgn (Iron Contributor)
Clive_Watson

‎Aug 24 2023 02:19 AM

‎Aug 24 2023 02:19 AM

Solution

Re: Log server to foward logs to Sentinel

For testing I'd probably use ADX https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool#azure-data-explorer (so I can use KQL). But I'd often have (and prefer) a test Sentinel workspace to try the ingestion, but stop the ingestion after a short amount of time to limit the cost and allow the use of https://learn.microsoft.com/en-us/azure/sentinel/data-transformation.

View solution in original post

0 Likes
Reply