Azure has quietly introduced a third log data tier and most organisations haven't noticed. Auxiliary Logs sit alongside Analytics and Basic Logs in Log Analytics workspaces, priced at roughly £0.12/GB ingested. Analytics Logs cost around £2.20/GB. Basic Logs cost around £0.40/GB. Auxiliary is about 94% cheaper than the default.
If you're storing large volumes for compliance, audit trails, or security investigations you rarely query interactively, the maths on your monitoring bill just shifted.
The three tiers
Analytics Logs (~£2.20/GB) are the default. Full KQL, 31 days of interactive retention, alerts, dashboards, workbooks. This is where most organisations send everything because it's the default and nobody changes it.
Basic Logs (~£0.40/GB) arrived as a cheaper option for high-volume, low-value data. Eight days of interactive retention, limited KQL (no joins, no cross-table aggregations). Good for verbose diagnostic logs needed occasionally but not driving alerts.
Auxiliary Logs (~£0.12/GB) are the newest tier. Designed for data kept long-term but almost never queried interactively. Thirty days of interactive retention, then up to 12 years of archive storage. Queries run as search jobs, not interactive. Slower, cheaper, fine for the right data.
What belongs in Auxiliary
The question is: do you need this data for real-time operational decisions, or does it just need to exist in case something goes wrong six months from now?
Compliance and audit logs. ISO 27001, SOC 2, PCI DSS mandate extended retention. Typically 12 months, some frameworks longer. Storing these in Analytics Logs at £2.20/GB is paying premium query pricing for data queried once a year. Auxiliary at £0.12/GB with 12-year retention is purpose-built for this.
Security event archives. Sentinel needs recent events in Analytics for active detection. The archive from six months ago is investigation data, not detection data. Move it to Auxiliary. Incident investigations still have access. Queries just take minutes not seconds.
Resource change tracking. Activity Logs, resource change history. Useful for post-incident root cause. Rarely needed for real-time monitoring.
Network flow logs. NSG and VNet flow logs are notoriously high-volume. A busy hub-spoke generates gigabytes per day of flow data, most of which is never queried. If you retain for compliance or forensics, Auxiliary reduces the storage cost dramatically.
Application telemetry archives. Application Insights data beyond the operational window. You can still search it if a customer reports something that started months ago, without paying Analytics rates to hold it.
What doesn't belong in Auxiliary
Anything you alert on. Auxiliary doesn't support alert rules. If Azure Monitor needs to wake someone at 2am, that data must be in Analytics.
Active Sentinel detection data. Current detection rules need Analytics for real-time correlation. Move to Auxiliary only after past your active detection window.
Data queried frequently. Slower query performance frustrates operations teams running daily KQL.
Dashboards and workbooks. Live dashboards need Analytics.
The cost impact
A mid-size organisation ingesting 50 GB/day, all in default Analytics:
- 50 GB × 30 days = 1,500 GB/month
- 1,500 × £2.20 = £3,300/month
Break the 50 GB by what actually needs real-time querying vs what's kept for compliance:
- 15 GB/day needs Analytics (alerts, dashboards, active monitoring)
- 10 GB/day needs Basic (diagnostic logs, occasional troubleshooting)
- 25 GB/day is compliance, audit, archive
Tiered:
- 15 × 30 × £2.20 = £990 (Analytics)
- 10 × 30 × £0.40 = £120 (Basic)
- 25 × 30 × £0.12 = £90 (Auxiliary)
- £1,200/month total
Saving: £2,100/month, 64%. £25,200 a year from a configuration change.
The numbers scale linearly. 200 GB/day sees proportionally larger savings. The insight is that most organisations send everything to Analytics because it's the default, not because they need full query capability on all the data.
The trade-offs
Query performance is slower. Queries run as search jobs. Minutes, not seconds. Fine for investigations, not for dashboards.
Limited KQL. Complex queries with multiple joins or cross-table correlations are restricted. Simple searches and filters work.
No alerting. No alert rules against Auxiliary Log tables.
30-day interactive window. Older data requires a search job to retrieve.
Not all tables support Auxiliary. Some system and Sentinel-managed tables can't be changed. Check the specific tables before planning.
Where to start
If your monthly Log Analytics bill exceeds £1,000, a tiered approach almost certainly saves money. The larger the bill, the larger the saving, because the proportion of data that genuinely needs Analytics tier querying is usually smaller than assumed.
The top 5 tables by ingestion volume are where the decisions sit. For each: is this driving alerts or live dashboards? If yes, keep Analytics. If no, Auxiliary just became relevant.
Spending more than you should on Azure monitoring? Our free cost assessment includes a full analysis of Log Analytics ingestion, retention settings, and tier recommendations.