In a distributed cloud environment, what you cannot see will eventually break your environment. A networking issue traced to a misconfigured firewall rule that has been dropping traffic for three weeks. A security breach that went undetected because no diagnostic settings were configured on an accessed Key Vault. A cost spike caught only when the invoice arrived.
As an organization scales, logs scatter across hundreds of resources. Without a centralized strategy, troubleshooting becomes a manual search across disconnected data sources. This guide implements a single-pane-of-glass observability platform.
By the end of this guide, you will:
- Implement a Management subscription as the telemetry hub.
- Deploy a production Log Analytics Workspace (LAW) with optimized retention tiers.
- Automate log collection using
DeployIfNotExists(DINE) Azure Policy. - Reduce ingestion costs using Data Collection Rules (DCR).
- Build interactive dashboards with Azure Monitor Workbooks.
This is Post 6 in the Azure Platform Engineering series.
Centralized Logging Architecture
graph TD
subgraph Platform_Mgmt [Management Subscription]
LAW[Central Log Analytics Workspace]
Sentinel[Microsoft Sentinel SIEM]
Workbooks[Azure Monitor Workbooks]
Sentinel --- LAW
Workbooks --- LAW
end
subgraph Spoke_A [Spoke Subscription A]
VM_A[VMs] -- Diag Settings --> LAW
SQL_A[SQL DB] -- Diag Settings --> LAW
end
subgraph Spoke_B [Spoke Subscription B]
KV_B[Key Vault] -- Diag Settings --> LAW
VNet_B[VNet Flow Logs] -- Diag Settings --> LAW
end
subgraph Connectivity [Connectivity Subscription]
FW[Azure Firewall] -- Diag Settings --> LAW
end
style LAW fill:#e3f2fd,stroke:#1565c0,stroke-width:4px
style Sentinel fill:#fff9c4,stroke:#fbc02d
style Platform_Mgmt fill:#f5f5f5,stroke:#9e9e9e
Notes:
- Diagnostic Settings are the mechanism used to ship logs from resources to the central workspace.
- The Management Subscription acts as the telemetry hub for the entire landing zone.
- Centralization allows for cross-resource correlation and simplified compliance reporting.
The Management Subscription Hub
Centralizing telemetry in the Management subscription provides:
- Cross-subscription Querying: Correlate events from Firewall, Key Vault, and VMs in a single KQL query.
- Simplified Compliance: Manage retention policies (e.g., PCI-DSS 12-month requirements) in one place.
- RBAC Isolation: Grant SOC teams access to the platform logs without exposing workload-specific application data.
Log Analytics Table Plans (2026)
Azure Monitor now uses a table-plan-based model to optimize costs:
| Plan | Price (est.) | Best For |
|---|---|---|
| Analytics | $2.30/GB | Security logs, audit events, firewall rules (Full KQL). |
| Basic | $0.50/GB | Verbose application traces and debug logs. |
| Auxiliary | $0.05/GB | Long-term archiving (Search jobs only). |
Pro Tip: Set a daily ingestion cap (minimum 0.01 GB) and an alert at 80% of that cap to prevent runaway costs from misconfigured resources.
Deploying the Stack with Terraform AVM
main.tf
module "log_analytics_workspace" {
source = "Azure/avm-res-operationalinsights-workspace/azurerm"
version = "0.5.1"
name = "law-platform-central-001"
retention_in_days = 90
daily_quota_gb = 50
sku = "PerGB2018" # Analytics Tier
}
# DCR to filter expensive east-west firewall traffic
resource "azurerm_monitor_data_collection_rule" "firewall" {
name = "dcr-firewall-filtered"
location = var.location
data_flow {
streams = ["Microsoft-CommonSecurityLog"]
destinations = ["platform-law"]
# Drop internal-to-internal allows; keep internet egress and all denials
transform_kql = "source | where not(SourceIP matches regex @'^10\\.' and DestinationIP matches regex @'^10\\.')"
}
}
Note: Starting in late 2025, Microsoft introduced transformation charges for data filtered over 50%. Verify current regional thresholds on the Azure Monitor pricing page.
Automating Collection via Azure Policy
Manual configuration does not scale. Use a DeployIfNotExists (DINE) policy initiative at the Landing Zones management group to ensure every new resource automatically forwards logs to your central LAW.
Critical Step: Grant the policy assignment’s managed identity the Log Analytics Contributor role at the management group scope. Without this, remediation tasks will fail.
Visualizing Platform Health
Use Azure Monitor Workbooks to turn raw data into insights.
RBAC Change Detection (KQL):
AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| where ActivityStatusValue == "Success"
| extend
// Pro Tip: In modern workspaces, use 'Properties_d' directly if available
AssignedRole = tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties.roleDefinitionId),
AssignedTo = tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties.principalId),
CallerIP = CallerIpAddress
| project TimeGenerated, Caller, AssignedRole, AssignedTo, CallerIP
Best Practices
- Analytics for Security: Never put security logs (Firewall, Key Vault, Activity Log) in the Basic tier. Basic logs do not support the
joinoperator, which is required for incident investigation. - Filter at Ingestion: Use DCR transforms to drop noisy
AZFWFlowTraceor internalAllowlogs before they reach the workspace. - Commitment Tiers: If you ingest more than 100 GB/day, switch to a commitment tier to save ~15%.
Troubleshooting
“Logs are missing after remediation” Verify the managed identity permissions. Run:
az role assignment list --assignee <policy-identity-id> --scope <mg-id>
“KQL Error: join operation requires analytics logs” You are trying to join a table in the Basic plan. Move the table to Analytics if full KQL capability is required.
Sources
Next, move to Post 7: Security Baseline. Sentinel and Defender for Cloud will use the workspace deployed here to provide centralized threat detection.