Routing Azure Resource Logs to Multiple Log Analytics Workspaces

Question

We are building out logging within Azure and have multiple user groups who need access to the logging. Some of the logs are needed by multiple user groups, but not all users should have access to all logging. In the end, we are thinking we want a log analytics workspace for each user group (some with Azure Sentinel over to of workspace) that would house the logs they need.

Was hoping we could send all logs to something like an event hub and then route the logs from there to the different log analytics workspaces, for example:

• Log Source A sent to event hub and sent to log analytics A
• Log Source B sent to event hub and sent to log analytics B
• Log Source C sent to event hub and sent to log analytics A

This would give:

• User Group A has access to log analytics A (Log Source A and Log Source C)
• User Group B has access to log analytics B (Log Source A and Log Source B)

Reading online, I am not finding any out of the box integration from an event hub to log analytics, the closest I could find is putting something like Logstash between the event hub and log analytics.

Any suggestions on how we can most efficiently architect our logging environment to get out logs to the user groups who need it?

Appreciate the insight!

T-R

Answer 1

AFAIK we can manage access to log data and workspaces in Azure Monitor. For more information, refer this and this Azure documents completely.

This would help you to give:

• User Group A having access to Log Source A and Log Source C could see logs from Log Source A and Log Source C in Log Analytics workspace A
• User Group B having access to Log Source A and Log Source B could see logs from Log Source A and Log Source B in Log Analytics workspace A

So in this way we could avoid using multiple Log Analytics workspaces and event hub and also make sure that all users do not have access to all logging.