Organizations adopting Microsoft Sentinel have reported a 93% reduction in time required to configure and deploy new connections, with the time saved in configuration alone valued at $618,000. These gains highlight Sentinel’s flexibility and scalability. However, Sentinel’s consumption-based licensing model introduces a critical challenge: as more systems and data sources are onboarded, costs can grow rapidly, often resulting in unexpected invoice increases.
While elastic pricing offers clear benefits, it also requires careful planning to avoid cost overruns as Sentinel usage expands across the organization.
What is Sentinel?
Microsoft Sentinel is a cloud-native SIEM designed for modern security operations centers (SOCs). It processes multiple types of security-relevant data, including:
- Raw, unprocessed data used for threat detection and hunting
- Security conclusions that improve alert visibility and correlation
- Reference data that provides context for investigations
- Threat intelligence covering both historical and emerging threats
When combined with Microsoft Defender XDR, Sentinel functions as a unified security operations platform. It aggregates security data across the environment, supports investigation workflows, and facilitates post-incident response. However, Sentinel also assumes that logs are centrally sent to the cloud. Without a deliberate ingestion strategy, this can quickly become expensive.
What is central log management?
Independent central log management platforms unify log collection, processing, and routing into a single system. These platforms operate independently of downstream analytics tools, allowing organizations to route logs to any SIEM or destination without vendor lock-in.
Demand for these solutions is growing. The global log management market is projected to expand at a compound annual growth rate of 11.4% through 2030, driven by factors such as:
- Increasing sophistication of cyberattacks
- Rapid growth in machine-generated log data
Additional trends shaping the space include automated log analysis, real-time anomaly detection, IoT integrations, and immutable blockchain-based logging. While these innovations create opportunities, Microsoft customers must also manage the risk of Sentinel cost escalation.
Many organizations rely on multiple log management tools and deploy several agents across hosts. This often results in siloed data, high-volume log streams, and inconsistent collection. Unstable agents can crash, logs may be lost, and parsing or classifying large semi-structured datasets becomes increasingly difficult.
Sentinel sticker shock: Key factors to consider
Deploying Sentinel across an entire organization without careful planning can be costly. The primary challenge lies in Sentinel’s licensing model, which—like other major cloud SIEMs—charges based on the volume of data ingested. As ingestion volumes grow, costs can escalate rapidly.
The first step in addressing this challenge is understanding Sentinel’s pricing structure and identifying opportunities for optimization.
Understanding SIEM pricing
SIEM platforms are traditionally priced according to the volume of ingested log data. This consumption-based model means operational costs fluctuate with user activity, application behavior, and infrastructure growth. As environments expand, increased ingestion and storage costs may be unavoidable.
Sentinel does provide some free data sources, including:
- Azure Activity Logs
- Microsoft Sentinel Health
- Office 365 audit logs (covering SharePoint, Exchange Admin, and Teams activity)
Security alerts themselves are free. However, certain raw logs are billable, including those from:
- Microsoft XDR
- Defender for Endpoint, Identity, Office 365, and Cloud Apps
- Microsoft Entra ID
- Azure Information Protection
Sentinel also includes a 31-day free trial, limited to 10 GB per day of Log Analytics ingestion. Beyond this threshold, pricing depends on log type and tier. As of January 2025, pricing ranged as follows:
Analytics logs (high-value security data):
- $5.22 per GB (Pay-As-You-Go)
- $2.36 per GB at 50,000 GB/day, equivalent to $117,990 per day
Basic logs (ad hoc queries and investigations):
- $1.12 per GB, with additional Azure Monitor charges
Auxiliary logs (high-volume, low-fidelity data such as network and firewall logs):
- $0.19 per GB, with additional Azure Monitor charges
Each log type includes different capabilities for querying, alerts, retention, and concurrency. While Pay-As-You-Go pricing provides flexibility, third-party log sources can significantly increase costs, making tier comparisons essential as ingestion volumes rise.
It’s also important to note that Sentinel’s free offerings exclude automation and bring-your-own machine learning. Because Sentinel runs on Azure, deploying related services—such as Azure Logic Apps or Azure Notebooks—can further increase costs.
Strategies for controlling Sentinel costs
When SIEM pricing is tied to ingestion volume, the most effective cost-control strategy is reducing unnecessary data. In practice, this can be achieved through several approaches.
Filter unnecessary logs
Filtering at the source is one of the most effective ways to control ingestion costs. Not all infrastructure, network, or device logs are required for security operations. Azure Stream Analytics enables real-time filtering, allowing organizations to categorize logs and determine which data should be forwarded to Log Analytics.
However, Microsoft cautions that default collection configurations may not suit all environments. Additionally, filtering Windows logs on-premises can limit support for certain Sentinel features.
Limit verbose logging
Verbose logging is often enabled for troubleshooting but may not be required for ongoing security monitoring. Metrics such as CPU usage, memory consumption, task execution, and disk space can generate large volumes of data.
Data Collection Rules in Log Analytics allow organizations to filter verbose logs, enrich data using KQL, and mask sensitive information for compliance purposes.
Reduce unnecessary whitespace
Excess whitespace—such as extra spaces or line breaks—can increase log size and slow processing. Regular expression functions can detect and remove leading or trailing whitespace, reducing ingestion volume.
Customize retention by data type
Log Analytics workspaces often contain multiple table types. While many tables retain data for at least 90 days at no charge, retention can be customized per table. Separating non-security logs into a non-Sentinel workspace can help avoid unnecessary costs.
For environments ingesting 100 GB or more per day, Sentinel offers dedicated clusters. These allow up to 1,000 workspaces to share tier pricing and support cross-workspace queries (limited to 100 workspaces).
Use Azure services for long-term retention
Azure Monitor allows retention adjustments per table. Interactive data is retained for 30 days by default (90 days for Usage and AzureActivity tables), with options to extend interactivity to two years and total retention up to 12 years.
Azure Data Explorer provides a cost-effective alternative for long-term storage, supporting KQL queries and cross-platform analysis. Logs can also be exported to Azure Storage Accounts or Event Hubs instead of the default Log Analytics workspace.
Balancing cost optimization with security
All cost-reduction measures must be weighed against potential reductions in visibility and increased cybersecurity risk. Compliance requirements also play a role. Regulations such as HIPAA, which mandates six-year retention for certain records, or PCI DSS, which requires retaining data for the minimum necessary period, directly influence retention and pricing decisions.
Ingesting data from non-Azure environments can further increase costs, particularly when dealing with high-volume sources.
This is where independent log management platforms can help mitigate risk and cost.
The syslog-ng approach: Reducing complexity and cost
Often described as the “Swiss army knife of log management,” syslog-ng can collect 500,000+ log messages per second, process them in real time, and deliver them to multiple destinations—including Microsoft Sentinel.
Originally designed for the syslog protocol, syslog-ng now supports a wide range of logging standards. It can be deployed as an agent across diverse hosts, collect logs from Windows systems, read logs from text files, and route data to preferred analytics platforms or databases.
Advanced message parsing enables filtering based on extracted fields such as usernames or IP addresses. Enrichment and blocklist filtering further reduce data volume and complexity, helping organizations control Sentinel ingestion costs and lower total cost of ownership.
Syslog-ng ensures reliable log delivery through local disk buffering, client-side failover, and application-layer flow control. Its Advanced Log Transfer Protocol supports encrypted TLS transfers, while the LogStore feature provides encrypted, compressed, and timestamped storage suitable for both short- and long-term compliance requirements.
Filtering at the source to avoid Sentinel sticker shock
There are many ways to control Sentinel costs, but navigating its pricing model can be complex. Ultimately, organizations only fully understand Sentinel’s cost profile once it’s in production—often too late for effective budget forecasting.
Central log management platforms like syslog-ng provide a proactive approach. By filtering and enriching logs locally and forwarding only security-relevant data to Sentinel, organizations can maintain comprehensive visibility while avoiding unnecessary ingestion costs.
The result is unified, enterprise-grade log management across the entire environment—without the sticker shock.
Prices are all in USD.
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
How we help
If you need to know more about Sentinel: Reduce costs with syslog-ng, you’re in the right place, we’re here to help! DTA is One Identity’s distributor, especially in Singapore and Asia, our technicians have deep experience on the product and relevant technologies you can always trust, we provide this product’s turnkey solutions, including consultation, deployment, and maintenance service.
Click here and here and here to know more: https://dtasiagroup.com/oneidentity/
