question

allenschroers-3313 avatar image
0 Votes"
allenschroers-3313 asked ·

Azure logs from different subscriptions

Our company has 9 Azure subscriptions - can we send logs from all 9 to a single IP address that is a collector inside Azure so it can send them to our on premise SIEM solution?

azure-ad-audit-logs
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JamesWestalll avatar image
0 Votes"
JamesWestalll answered ·

Hey @allenschroers-3313

You can most definitely ship logs to a remote location, provided you have access to the relevant configuration areas & your SIEM Supports shipping. The following links should provide some context.

Azure AD activity logs in Azure Monitor
Create diagnostic settings to send platform logs and metrics to different destinations

Cheers,

James


If my answer helped your problem, please select mark as answer.


· 5 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

My primary question has to do with not understanding how much separation there is with separate subscriptions; can separate subscriptions communicate with a single IP address in one Azure subscription or is each separate? Its more of an administration question, I know we can stand up log collectors in each of 9 subscriptions, I'm wondering if its possible to just have 1 log collection IP point and have all 9 send to it.

0 Votes 0 ·
JamesWestalll avatar image JamesWestalll allenschroers-3313 ·

Hey Mate,

You could definitely do this, provided you apply appropriate network controls. For the purposes of your subscription understanding, it's best to think about subscriptions as a billing and identity boundary and NOT a network boundary. As they sit within a single tenant, resource communication between them is possible.

You have the following options:
- Setup peering between subscription deployed virtual networks. Your subscription resources could all then forward to a single internal IP.
- Configure a public IP for your forwarder. This would allow you to send logs from anywhere, provided you have network line of sight. Make sure to apply appropriate NSG rules on the service.



0 Votes 0 ·

Thanks for the detailed response. One aspect of which option to use pertains to cost and as such I assume the peering between subscriptions option would not incur outbound data charges as perhaps the public IP option might, am I correct in my assertions?

0 Votes 0 ·
Show more comments