Azure Log Analytics Pricing UK 2026

Complete guide to Log Analytics costs in UK South — ingestion, retention, search jobs, and the 2TB restore minimum explained in GBP.

Prices last verified: March 2026

Built and verified by an independent Azure engineer, frustrated with the official calculator.

Overview

If you restore 1 GB of archived Log Analytics data, you are billed for 2,000 GB. That is not a typo. The Restore operation has a 2 TB minimum billing floor regardless of how much data you actually request. It is one of the most expensive accidental triggers in Azure, and it is buried in the pricing documentation under a footnote. If your team runs any Restore operation without knowing this, the result is a surprise line item in the hundreds of pounds range.

Azure Log Analytics is the foundation of monitoring on Azure. Every Azure resource — virtual machines, App Services, Kubernetes clusters, Azure Firewall, Microsoft Sentinel — can send its logs and metrics to a Log Analytics workspace for storage, querying, and alerting. If you run anything on Azure, you are almost certainly incurring Log Analytics costs whether you have looked at the bill or not.

The challenge is that Log Analytics pricing has six distinct dimensions that interact with each other: data ingestion tier, Sentinel add-on, interactive retention, archive retention, Search Job costs, and Restore costs. Most engineers are aware of ingestion costs but are blindsided by retention charges on large workspaces or — most dangerously — the 2TB minimum billing floor on Restore operations.

This guide covers all six dimensions with UK South GBP pricing sourced directly from the Azure Retail Prices API. All figures shown are current as of March 2026 and reflect the prices used by the Log Analytics calculator on this site.

Data Ingestion Pricing

Ingestion is the dominant cost driver for most workspaces. When data lands in your Log Analytics workspace, it is classified into one of three log types — and the type determines both the ingestion price and what you can do with the data afterwards.

The three log types

Analytics Logs

Default

£2.13/GB

›First 5 GB/day per workspace is FREE
›Full KQL query capability — no per-query charge
›Alert rules, workbooks, dashboards fully supported
›Default retention: 31 days free, up to 730 days
›Best for: security logs, SigninLogs, SecurityEvent, AuditLogs

Basic Logs

78% cheaper ingestion

£0.46/GB

›Query costs £0.0046/GB scanned (charged on query)
›8-day interactive retention only (cannot be extended)
›No alert rules — cannot set up scheduled alerts
›Best for: verbose logs queried rarely (AppServiceHTTPLogs, NetworkFlow)

Auxiliary Logs

Cheapest

£0.04/GB

›Query via Search Jobs only — no direct KQL
›30-day interactive retention, up to 12 years archive
›No alert rules, no workbook support
›Best for: compliance logs archived but rarely investigated
›New: available from August 2025

Comparison table

Log Type	Ingestion cost	Query cost	Best for
Analytics Logs	£2.13/GB (first 5 GB/day free)	Free	Security logs, anything with alert rules
Basic Logs	£0.46/GB	£0.0046/GB scanned	Verbose operational logs queried rarely
Auxiliary Logs	£0.04/GB	Via Search Jobs only	Compliance archival, almost never queried

PAYG vs Commitment tiers

If your workspace ingests more than approximately 90 GB/day of Analytics Logs, a commitment tier becomes cheaper than PAYG.

Tier	Daily price	Effective per GB	Saving vs PAYG
PAYG (above 5 GB/day)	—	£2.13/GB	—
100 GB/day commitment	£181.02	£1.81/GB	15%
200 GB/day commitment	£339.87	£1.70/GB	20%
300 GB/day commitment	£498.73	£1.66/GB	22%
400 GB/day commitment	£650.19	£1.63/GB	23%
500 GB/day commitment	£798.88	£1.60/GB	25%

lightbulb

Break-even guidance: PAYG becomes more expensive than the 100 GB/day commitment tier when you exceed approximately 90 GB/day of billable ingestion. If your workspace consistently ingests 80–100 GB/day, run the numbers — switching to a commitment tier could save £1,000–£3,000/month.

monitor_heart

Log Analytics & Sentinel Calculator

Ingestion, retention, search job and restore costs for UK South.

arrow_forward

Microsoft Sentinel Add-on

Microsoft Sentinel is billed as an add-on on top of Log Analytics. When you enable Sentinel on a workspace, every GB ingested into Analytics Logs tables incurs an additional Sentinel charge on top of the Log Analytics ingestion cost.

Tier	Sentinel charge	Combined total
PAYG	+£3.975/GB	≈ £6.10/GB
100 GB/day Sentinel commitment	£273.38/day	+ LA costs separately
500 GB/day Sentinel commitment	£1,168.31/day	+ LA costs separately

info

Independent commitment tiers: Sentinel and Log Analytics have separate commitment tier programmes. You can be on PAYG for Log Analytics and a commitment tier for Sentinel, or vice versa. Optimise each independently based on your actual volumes.

Free data allowances that reduce Sentinel costs

check_circle

Microsoft 365 E5

5 MB per user per day free into Sentinel

check_circle

Defender for Servers Plan 2

500 MB per server per day free into Sentinel

check_circle

First 31-day trial

Up to 10 GB/day free for new Sentinel workspaces

Data Retention Pricing

After data is ingested, you are charged for how long you keep it. Retention pricing has two distinct phases: interactive retention (data is hot, fully queryable) and archive retention (data is cold, queryable only via Search Jobs or Restore).

Interactive Retention

›First 31 days: FREE (all workspaces)
›First 90 days: FREE if Sentinel is enabled
›Days 32–730: £0.0961/GB/month
›Full KQL, alerts, workbooks supported
›Maximum: 730 days

Archive Retention

›After interactive period ends
›Up to 12 years total retention
›£0.0185/GB/month — significantly cheaper
›Query via Search Jobs or Restore only
›No direct KQL, no alert rules

Practical guidance

Most teams set interactive retention to 90 days. This covers the majority of incident investigation scenarios — the median time to discover a breach is under 30 days, and 90 days of interactive data is sufficient for most forensic work.
Archive beyond 90 days for regulatory compliance (PCI-DSS, FCA record keeping requirements) at the cheaper archive rate of £0.0185/GB/month.
Do not set long interactive retention for all tables. If you have a 100 GB/day workspace and extend interactive retention to 365 days, the retention costs on days 32–365 can exceed your ingestion costs. Target long interactive retention only at high-value tables (SecurityEvent, SigninLogs) and keep verbose tables shorter.

Search Jobs — The Right Way to Query Archive Data

A Search Job is a background operation that scans your archived (or Basic Logs) data and writes the matching results to a temporary _SRCH table in your workspace. You then query that table interactively at no extra charge. Search Jobs are the cost-effective default for ad-hoc investigation of old data.

Search Job pricing

£0.0046/GB scanned

›No minimum charge — you pay only for GB scanned
›Results written to a temporary _SRCH table (free to query)
›Runs asynchronously — results available in minutes to hours
›Can run against Analytics, Basic, and Auxiliary Logs

Worked example

Scenario: investigate 30 days of archived logs from a table ingesting 35 GB/day

GB scanned35 GB/day × 30 days =1,050 GB

Search Job cost1,050 × £0.0046 =£4.83

Compare — Restore for same data

Restore cost (2TB minimum applies)2,048 GB × £0.0924/day =£189.24/day

3-day restore£567.71

The same 1,050 GB of data costs £4.83 via Search Job compared to a minimum of £567.71 via Restore (3 days). Unless you need to run many repeated KQL queries against the same dataset, Search Jobs are almost always the right choice.

The 2TB Restore Trap — Read This Before You Restore Anything

warning

2TB MINIMUM BILLING — EVERY RESTORE OPERATION

Azure bills a minimum of 2TB (2,048 GB) per Restore operation, regardless of how much data you actually restore. Restoring 3 GB costs exactly the same as restoring 2,048 GB. This catches many engineers completely off guard — a "quick restore" of a small table can result in a bill of hundreds of pounds.

Restore brings archived data into a hot cache for repeated interactive querying. The cost is £0.0924/GB/day, with a minimum billing period of 12 hours. Both the 2TB floor and the 12-hour minimum apply even if you delete the restore table immediately after creation.

Worked example — the 3 GB restore mistake

Scenario: restore 3 GB of OfficeActivity logs for a 3-day investigation

Data you wanted to restore3 GB

Data Azure bills for (2TB minimum)2,048 GB

Cost per day2,048 × £0.0924 = £189.24/day

3-day restore total£567.71

Same data via Search Job3 × £0.0046 = £0.014

When Restore IS worth it

Your restore is actually over 2TB. If you genuinely need to restore 2+ TB of data, the 2TB floor no longer penalises you.
You need to run dozens of KQL queries against the same dataset. Restore gives you full interactive query speed for a sustained investigation. If you are running 50+ queries against the same archived data over several days, the fixed daily cost may be lower than running 50 Search Jobs.
You need the full 10-minute query timeout. Search Jobs have execution constraints; Restore gives you full KQL performance for complex analytics.

monitor_heart

Log Analytics & Sentinel Calculator

Ingestion, retention, search job and restore costs for UK South.

arrow_forward

Microsoft LearnRestore logs in Azure Monitor — 2TB minimum

open_in_new

Basic vs Analytics Logs — Which Should You Use?

Switching high-volume tables from Analytics Logs to Basic Logs is one of the highest- impact cost optimisations available in Log Analytics — but it comes with trade-offs that must be understood before making the change.

analytics

Use Analytics Logs when

›You query this table regularly (more than weekly)
›You have alert rules on this table
›Workbooks or dashboards reference it
›It is a security table: SecurityEvent, SigninLogs, AuditLogs, OfficeActivity
›You need sub-second query response times

sort

Use Basic Logs when

›Verbose operational logs queried less than once per week
›No alert rules are needed on this table
›Examples: AppServiceHTTPLogs, NetworkFlow, ContainerLog
›You are willing to pay £0.0046/GB when you do query it

Use Auxiliary Logs when

›Pure compliance archival — logs you are legally required to keep
›Rarely if ever need to investigate this data
›Maximum cost reduction is the priority
›Available from August 2025 onwards

Cost saving example

Scenario: 100 GB/day of AppServiceHTTPLogs — switching from Analytics to Basic

Analytics Logs100 GB × £2.13 × 30 days = £6,390/month

Basic Logs100 GB × £0.46 × 30 days = £1,380/month

Monthly saving≈ £5,010/month

The saving is significant — but only applies to tables where you do not need alert rules and are comfortable paying per-query. Never switch a table to Basic Logs without first checking whether any alert rules or workbooks depend on it.

Certification Resources

Want to understand Azure Monitor and Sentinel pricing in depth for your career? Both the SC-200 (Security Operations Analyst) and AZ-104 (Azure Administrator) certifications cover Log Analytics extensively. SC-200 is the deeper of the two — Domain 3 covers Sentinel workspace architecture, data connectors, KQL, and cost management in detail.

ADPluralsightCovers Sentinel & Log Analytics

SC-200 Microsoft Security Operations Analyst

From £29/month

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.

ADMeasureUp

SC-200 Official Practice Test

From £99

View courseopen_in_new

AD: We earn a commission on qualifying purchases at no extra cost to you.