In Managed Security Service Provider (MSSP) models, a single operations team manages dozens of customer logs. Wrong architecture = risk of data leakage and unscalable operation.
Tenant isolation
Separate for each customer tenant_id, RBAC and alarm queue. Super admin view is for authorized personnel only.
Plan and quota
Daily log limit per customer, retention day and feature package (business vs MSSP). In case of quota exceedance, notification should be preferred instead of drop.
Reporting
Monthly PDF: number of events, MTTR, top threats. OxiSec produces a 10-section report based on tenants.