You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You can route Azure Active Directory (Azure AD) activity logs to several endpoints for long term retention and data insights. This feature allows you to:
27
27
28
28
* Archive Azure AD activity logs to an Azure storage account, to retain the data for a long time.
29
-
* Stream Azure AD activity logs to an Azure event hub for analytics, using popular Security Information and Event Management (SIEM) tools, such as Splunk, QRadar, and Azure Sentinel.
30
-
* Integrate Azure AD activity logs with your own custom log solutions by streaming them to an event hub.
29
+
* Stream Azure AD activity logs to an Azure Event Hub for analytics, using popular Security Information and Event Management (SIEM) tools, such as Splunk, QRadar, and Azure Sentinel.
30
+
* Integrate Azure AD activity logs with your own custom log solutions by streaming them to an Event Hub.
31
31
* Send Azure AD activity logs to Azure Monitor logs to enable rich visualizations, monitoring and alerting on the connected data.
@@ -36,7 +36,7 @@ You can route Azure Active Directory (Azure AD) activity logs to several endpoin
36
36
37
37
## Supported reports
38
38
39
-
You can route Azure AD audit logs and sign-in logs to your Azure storage account, event hub, Azure Monitor logs or custom solution by using this feature.
39
+
You can route Azure AD audit logs and sign-in logs to your Azure storage account, Event Hub, Azure Monitor logs or custom solution by using this feature.
40
40
41
41
***Audit logs**: The [audit logs activity report](concept-audit-logs.md) gives you access to information about changes applied to your tenant, such as users and group management, or updates applied to your tenant’s resources.
42
42
***Sign-in logs**: With the [sign-in activity report](concept-sign-ins.md), you can determine who performed the tasks that are reported in the audit logs.
@@ -63,7 +63,7 @@ Depending on where you want to route the audit log data, you need either of the
63
63
64
64
## Cost considerations
65
65
66
-
If you already have an Azure AD license, you need an Azure subscription to set up the storage account and event hub. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources, including the storage account that you use for archival and the event hub that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.
66
+
If you already have an Azure AD license, you need an Azure subscription to set up the storage account and Event Hub. The Azure subscription comes at no cost, but you have to pay to utilize Azure resources, including the storage account that you use for archival and the Event Hub that you use for streaming. The amount of data and, thus, the cost incurred, can vary significantly depending on the tenant size.
67
67
68
68
### Storage size for activity logs
69
69
@@ -89,13 +89,13 @@ The following table contains a cost estimate of, depending on the size of the te
89
89
90
90
91
91
92
-
### Event hub messages for activity logs
92
+
### Event Hub messages for activity logs
93
93
94
-
Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the event hub has a maximum size of 256 KB, and if the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.
94
+
Events are batched into approximately five-minute intervals and sent as a single message that contains all the events within that timeframe. A message in the Event Hub has a maximum size of 256 KB, and if the total size of all the messages within the timeframe exceeds that volume, multiple messages are sent.
95
95
96
-
For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Because audit logs are about 2 KB per event, this equates to 10.8 MB of data. Therefore, 43 messages are sent to the event hub in that five-minute interval.
96
+
For example, about 18 events per second ordinarily occur for a large tenant of more than 100,000 users, a rate that equates to 5,400 events every five minutes. Because audit logs are about 2 KB per event, this equates to 10.8 MB of data. Therefore, 43 messages are sent to the Event Hub in that five-minute interval.
97
97
98
-
The following table contains estimated costs per month for a basic event hub in West US, depending on the volume of event data which can vary from tenant to tenant as per many factors like user sign-in behaviour etc. To calculate an accurate estimate of the data volume that you anticipate for your application, use the [Event Hubs pricing calculator](https://azure.microsoft.com/pricing/details/event-hubs/).
98
+
The following table contains estimated costs per month for a basic Event Hub in West US, depending on the volume of event data which can vary from tenant to tenant as per many factors like user sign-in behavior etc. To calculate an accurate estimate of the data volume that you anticipate for your application, use the [Event Hubs pricing calculator](https://azure.microsoft.com/pricing/details/event-hubs/).
99
99
100
100
| Log category | Number of users | Events per second | Events per five-minute interval | Volume per interval | Messages per interval | Messages per month | Cost per month (est.) |
0 commit comments