At scale, Azure Log Analytics isn’t just about enabling diagnostics it becomes a full-fledged data engineering challenge. Logs from PaaS, IaaS, and security tools converge into a shared workspace, bringing together diverse data types such as metrics, traces, and logs. Each of these sources may have different retention requirements, and the ingestion patterns are often volatile, with sudden bursts like high-volume network traffic logs. On top of that, maintaining tight query SLAs is critical, especially for dashboards and security operations center (SOC) investigations, where timely insights are non-negotiable.
The below table is forecast of customer average starting point
| Source | Ingestion (avg/day) | Notes |
|---|---|---|
| Azure Firewall | 8–10 GB | High-velocity; verbose |
| App Gateway (WAF) | 3–5 GB | Contains sensitive POSTs |
| Defender for Cloud | ~0.5 GB | Mostly alerts |
| 100 VMs (Perf + Sys) | ~30 GB | Depends on Windows/Linux split |
| Sentinel Data Connectors | 5–15 GB | Depends on custom rules, data normalization |
Mathematical calculations
Estimated Daily Ingestion (GB) = Σ (Log Volume per Source × Number of Instances)
- 100 VMs × 0.3 GB = 30 GB
- 2 Firewalls × 10 GB = 20 GB
- Defender + Sentinel = ~25 GB
- Total Per day : ~75 GB/day
- Total per month : 30X75 = 2,250GB
The default retention is usually 3 months for security related alerts and 7-30 days for performance related alerts
