Executive Summary
Recently I needed to move Microsoft Sentinel and the underlying log analytics workspace to a new subscription. That will be detailed in another blog post. Part of that move is setting up the log retention on the tables in the log analytics workspace. I went to see if Microsoft has a script to set it for all tables in the workspace, but I did not see one. With the help of Open AI, I came up with the script below.
Script
The script below is ran in the Azure CLI using bash. You will need your Azure subscription, resource group and log analytics workspace to complete this script.
Variables
You will need your Azure subscription, resource group and log analytics workspace and enter it here.
subscription=XXXX # Replace with your Azure subscription ID
resourceGroup=RG-Changeme # Replace with your resource group name
workspaceName=LA-Changeme # Replace with your Log Analytics workspace name
retentionTime=90 # Retention in days
totalRetentionTime=458 # Total retention in days
Set the Azure subscription context
Set the Azure subscription here.
az account set --subscription "$subscription"
Get all tables in the Log Analytics workspace
This a variable that will loop the log analytics workspace and grab all of the tables.
tables=$(az monitor log-analytics workspace table list
--resource-group "$resourceGroup"
--workspace-name "$workspaceName"
--query "[].name"
--output tsv)
Loop through each table and update retention settings
This will loop all of the tables and setup the primary retention and archive retention.
for table in $tables
do
echo "Updating retention settings for table: $table"
az monitor log-analytics workspace table update
--subscription "$subscription"
--resource-group "$resourceGroup"
--workspace-name "$workspaceName"
--name "$table"
--retention-time "$retentionTime"
--total-retention-time "$totalRetentionTime"
if [ $? -eq 0 ]; then
echo "Successfully updated retention settings for table $table"
else
echo "Failed to update retention settings for table $table"
fi
done
Final Thoughts
I hope this helps if you are looking to setup the retention settings on your Microsoft Sentinel and log analytics workspace tables. You can also find the script located here in my GitHub repository.