Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
You are designing the log-routing strategy for Contoso, which operates five Azure subscriptions under a single management group. The security team requires that:
All Azure Activity Logs and resource diagnostic logs must remain searchable in Azure for at least 90 days for troubleshooting.
The same logs must be streamed in near real time to an on-premises SIEM that ingests Syslog over UDP.
The solution must rely only on built-in Azure capabilities and minimize ongoing administration. Which approach should you recommend?
Create a single Azure Monitor diagnostic setting at the management-group level that routes all Activity and resource diagnostic logs to a centralized Log Analytics workspace (90-day retention) and simultaneously streams them to an Azure Event Hub from which the on-premises SIEM pulls Syslog data.
Configure each subscription to archive Activity and diagnostic logs to an Azure Storage account, then use an hourly Azure Data Factory pipeline to copy the blobs to the on-premises environment for ingestion by the SIEM.
Install Logstash agents on every virtual machine and Azure Arc-enabled resource to forward operating-system logs directly to the on-premises Syslog server; rely on Azure Storage lifecycle policies to keep any required data for 90 days.
Enable Azure Monitor to export Activity and diagnostic logs to an Azure Service Bus queue and configure the SIEM to read messages from the queue while setting the workspace retention to 90 days.
Diagnostic settings in Azure Monitor let you send platform (Activity) and resource diagnostic logs to multiple destinations simultaneously: Log Analytics workspaces, Azure Storage, and Azure Event Hubs. Creating a single diagnostic setting at the management-group scope automatically applies the configuration to all current and future subscriptions, reducing administrative overhead. Sending logs to a central Log Analytics workspace with a 90-day retention period meets the interactive query requirement, while streaming the same data to an Azure Event Hub provides near-real-time delivery that an on-premises SIEM can ingest through an Event Hub-to-Syslog connector or collector. Azure Storage with batch transfers, custom Logstash agents, or exporting to Service Bus either fail to provide real-time streaming, omit platform logs, or are not natively supported targets, so they do not satisfy all requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Monitor diagnostic setting?
Open an interactive chat with Bash
How does Azure Event Hub work with an on-premises SIEM?
Open an interactive chat with Bash
Why is Azure Log Analytics workspace used for 90-day retention?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .