How to backup Log Analytics Workspace logs to a blob?

Question

How to backup Log Analytics Workspace logs to a blob?

Gregorio Montaño 251

Hi,

How do I create an automatic backup of my Log Analytics Workspace Logs (by DataType/Table with some tables reaching 1TB) every X months?

And, if you can also share how to restore them (to a different workspace) for analysis later?

Thanks!

SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-24T06:23:46.3866667+00:00

@Gregorio Montaño Did you get chance to look into comment made by community member? Kindly revert if you have further questions.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-27T06:11:17.8266667+00:00

@Gregorio Montaño Hope the information provided is useful. Let me know if you have further questions.

2 answers

Your answer

SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-24T06:23:46.3866667+00:00

@Gregorio Montaño Did you get chance to look into comment made by community member? Kindly revert if you have further questions.
SwathiDhanwada-MSFT 18,996 Reputation points Moderator

2023-02-27T06:11:17.8266667+00:00

@Gregorio Montaño Hope the information provided is useful. Let me know if you have further questions.

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

Hi, Gregorio

Depending on your use cases, you could configure the logs to be exported to an Azure Storage account and then when needed use Azure Data Factory to export them into Azure Data Explorer for analysis.

This article here is a great reference point: Integrate Azure Data Explorer for long-term log retention

It talks to Sentinel, but the concept is the same, keep only the most recent and relevant data that will be queried in Log Analytics, everything else gets archived.

Store data in Azure Data Explorer and Microsoft Sentinel in parallel.

Gregorio Montaño 251 Reputation points

2023-02-28T02:22:28.0233333+00:00

Thanks Luke for your reply and sharing links.
The link you have shared was not clear on the export part and from Log Analytics Workspace "Data Export", it did mention that the rule is for

Export data continuously from tables in your Log Analytics workspace to an Azure storage account or Event Hub.
Indeed, this solution will work as getting the data flow (e.g. table1) to the storage account and archive after X months.

Cheers,
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-02-28T03:15:36.7333333+00:00

Then you should be able to use Data Factory to pull it out when required to review.

Answer 2

SwathiDhanwada-MSFT 18,996 Moderator

@Gregorio Montaño You can use Logic Apps to export data from Log analytics workspace to storage account. You will have option to set the recurrence on how frequently the export should be done. For more information on how to do this, refer this article.

It's suggested that you can directly send your logs to storage account instead of storing them in log analytics workspace and then sending it to storage account. As this approach has lower latency compared to data export in Log Analytics. Also, you can query the data stored in storage account using Azure Data Explorer. Refer this for more information.

Gregorio Montaño 251 Reputation points

2023-02-28T02:00:33.2166667+00:00

Thanks Swathi for your reply and sharing information.

There are limitations that I saw at https://learn.microsoft.com/en-us/azure/azure-monitor/service-limits#log-analytics-workspaces like limit on records queried of 50k or size of data returned to 100MiB.

Regards,

Share via

How to backup Log Analytics Workspace logs to a blob?

2 answers

Your answer