Forum Discussion

simcpk's avatar
simcpk
Brass Contributor
Aug 14, 2018
Solved

Automatic Log Upload using Docker on Ubuntu in Azure

A few weeks back, my perfectly functional log collector (Docker on Ubuntu in Azure) stopped receiving syslogs from both of my sources.  The reason for this sudden breakage is still not completely und...
Cloud App Security
  • simcpk's avatar
    simcpk
    Aug 27, 2018

    It appears they made some changes based on my comments because the portal generated command now appears as follows --

     

    (echo e8f2683d346b4cb90e3184b7de7fd464841358808b6ff6fe19fde25b18e78a1) | docker run --name LogCollector_Azure -p 514:514/udp -p 515:515/udp -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='10.3.2.20'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE=sawdustinvestments.us2.portal.cloudappsecurity.com" -e "COLLECTOR=LogCollector_Azure" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i microsoft/caslogcollector starter

Matthew Fooks's avatar
Matthew Fooks
Brass Contributor
Aug 23, 2018
Phillip,

I've done a few Ubuntu/Docker on prem installs without issue. I'll try setup an Azure instance and let you know if I get any issues. Did you raise this with MS support?

Matt
simcpk's avatar
simcpk
Brass Contributor
Aug 23, 2018

I started a support case and by the time they got back to me I'd sorted it out.  I changed my command as follows and then it worked --

 

(echo e8f2683d346b4cb90e3184b7de7fd464841358808b6ff6fe19fde25b18e78a1) | docker run --name LogCollector_Azure -p 21:21 -p 514-515:514-515/udp -p 20000-20099:20000-20099 -e "PUBLICIP='10.3.2.20'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE=sawdustinvestments.us2.portal.cloudappsecurity.com" -e "COLLECTOR=LogCollector_Azure" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i microsoft/caslogcollector starter

 

I think the commands being generated by the portal during the setup of the collector are wrong when configuring syslogs.  I'd used them successfully in the past, but I don't have any record of what they looked like when I last set up a collector successfully.  The support engineer said he'd pass my comments back to the team so that they could check on the issue.

 

Phil

  • simcpk's avatar
    simcpk
    Brass Contributor
    Aug 27, 2018

    It appears they made some changes based on my comments because the portal generated command now appears as follows --

     

    (echo e8f2683d346b4cb90e3184b7de7fd464841358808b6ff6fe19fde25b18e78a1) | docker run --name LogCollector_Azure -p 514:514/udp -p 515:515/udp -p 21:21 -p 20000-20099:20000-20099 -e "PUBLICIP='10.3.2.20'" -e "PROXY=" -e "SYSLOG=true" -e "CONSOLE=sawdustinvestments.us2.portal.cloudappsecurity.com" -e "COLLECTOR=LogCollector_Azure" --security-opt apparmor:unconfined --cap-add=SYS_ADMIN --restart unless-stopped -a stdin -i microsoft/caslogcollector starter

Resources