Centralised Log Analytics Agent management and consistent terminology
As is often the case with MS, there are too many ways of doing the same thing and they often clash.
Log Analytics Agent deployment is one of them.
As far as I can tell, you can deploy LAA in about five different ways: Extension, Manually, DSC, Security Center and Policy.
If I deploy via security center I can choose what level of Windows security logs I want importing.
There are then separate Data Collection settings within the workspace itself where I can specify the Windows Logs to import EXCEPT the security ones as it says the security log is not supported.
Whichever way I do this all the logs end up in the same place. It's not as though what I specify via Security Center can go to a different workspace to what I specify in LAW.
What I'm after is a single place within the portal that is used for deploying the agent, connecting a VM to LAW, supporting multi-homing and specifying which logs/metrics go to which workspace.
The main thing here would be sending all security logs to a dedicated workspace and everything else to a more general workspace.
The current method(s) are confusing and contradictory.
On a related note, please go through all the documentation/portal and use consistent terminology. The Security centre still refers to MMA, the extension is called MMA and it's still used in various documentation.
Thank you for your feedback. Your feedback is now open for the user community to upvote & comment on. This allows our document authoring team and also our product team to effectively prioritize your request against our existing feature backlog and also gives us insight into the potential impact of implementing the suggested feature.