Announcing preview: Collect Syslog from your AKS nodes using Container Insights
Published Mar 15 2023 03:00 PM 8,455 Views

Starting today, customers can use Azure Monitor – Container Insights to collect Syslog from Linux nodes in their Azure Kubernetes Service (AKS) clusters. Syslog collection enables customers to monitor security and health events for their containerized workloads. Syslog collection when combined with SIEM systems like Microsoft Sentinel and monitoring tools like Azure Monitor provides comprehensive observability.

Why collect syslog?  

Syslog is a popular message logging standard that can be used across a variety of devices like servers, virtual machines, routers, and other devices.

By collecting syslog from AKS nodes, customers get

  • Improved observability – Syslog is one of the popular ways to collect error logs in Linux. Syslog enables troubleshooting across a wide variety of sources. With Syslog collection available natively in Azure Monitor, your Syslog data is collected using the Azure Monitor Agent and can be easily stored, queried, and visualized using the tools in the Azure Monitor ecosystem.
  • Unified security - Enterprises commonly use syslog for collecting logs from their on-premise, and IaaS workloads. With syslog collection for AKS, customers can now maintain a common security perimeter across their containerized and IaaS workloads as well as across on-prem and cloud deployments.

How to enable syslog collection

Using the Azure Portal

Navigate to your cluster. Open the Insights tab for your cluster. Open the Monitor Settings panel. Click on Edit collection settings, then check the box for Enable Syslog collection



Command Line

You can enable syslog collection in multiple ways from the command line.

Click the links above to access the documentation for each option.

Accessing your syslog data


To get a quick snapshot of your syslog data, customers can use our out-of-box Syslog workbook.

Option 1 - The Reports tab in Container Insights.
Navigate to your cluster. Open the Insights tab for your cluster. Open the Reports tab and look for the Syslog workbook



Option 2 - The Workbooks tab in AKS

Open the Workbooks tab for your cluster and look for the Syslog workbook. See steps here

Log queries

Customers can access syslog records by querying the Syslog table. This is the Syslog table used for VM syslog data as well and existing syslog queries will work. See docs for sample queries. 



Next steps

Read more about Syslog and what you can do with it in our documentation

Once setup, customers can start sending Syslog data to the tools of their choice

We’re excited for customers to try out this preview. Share your feedback for this feature using the form here:




Version history
Last update:
‎Mar 14 2023 11:24 AM
Updated by: