May 11 2022 10:12 AM
Hi everyone,
I'd like to be able to better explain the sentinel ingestion costs.
If I punch in 500GB/day to the cost calculator, it lists costs for Azure Monitor and Sentinel.
1. Are both part of the charge? Feels like a duplicate.
2. Do Basic logs and Analytic logs need to be 500GB? Assuming all logs should be queryable via kql for analytic rules.
Thank you.
May 11 2022 10:26 AM
May 12 2022 04:20 AM
May 13 2022 09:17 AM - edited May 13 2022 09:22 AM
Thanks guys, this is very helpful!
Another question based on this same example (please and thanks).
If you want to keep data available for kql queries up to 1 year, would I set Data Archive to 1 year?
So:
- Basic Logs: zero
- Analytic Logs: 500GB/day (is this for 30 or 90 days?)
- Data Archive: 1 year (can this still be queried via kql?)
- Azure Monitor Data Restore - not needed? Assume this is a 'typical' use case.
- Azure Monitor Search Queries and Search Jogs - not needed? Assume this is a 'typical' use case.
= Total monthly cost: $41,600k
May 16 2022 04:09 AM
@SocInABox You can keep the data in Microsoft Sentinel for up to two years. If you want to keep it for just one, set the Data Retention to 365. You will pay for the difference between the 90 free days and the 365 days in a year (275 days).
Keep in mind that you will keep adding to the amount being archived each month after your first 90 days and then it will level off after a year. Also, you can set table level data retention so you only keep those tables you need for 90 days (see link below)
If you don't think you will be using the data all the time, take a look at archival capabilities that will still allow you to search (for a cost) without having them retained in MS Sentinel: Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Doc...
May 16 2022 05:43 AM
@SocInABox The blog post was just published that may help as well: Simplified Log Analytics Table Management - Microsoft Tech Community
May 16 2022 07:00 AM - edited May 16 2022 10:43 AM
Thanks very much @Gary Bushey But I'd still like to complete my example scenario and your suggestion greatly helps.
So say i picked the 'alerts' table and I want to enable archiving:
When the archiving started after 30 days I would use this reference to calculate my need for "Data Archiving at $0.02 per GB?"
https://azure.microsoft.com/en-us/pricing/details/monitor/
So my total costs would be:
Table N1 * 0.02xGB _ Table N2 * 0.02xGB ....
Or I could just say for 500GB: 0.02x500x30days = $300 = peanuts...
I wonder if the calculator above is wrong - it seems to be adding the full 12 months of archive retention to EACH month.
Correct?
May 20 2022 08:44 AM - edited May 20 2022 08:44 AM
good article here on Basic vs Analytic and when to use a custom solution to save $$ by storing in blob storage for your non-analytic logs.
eg. if you're ingesting TB/day and you need retention for 4+ years then there can be some big cost savings.
https://medium.com/wortell/use-sentinel-basic-and-archive-logs-fae3bb3a6299