Starting today, customers can use Azure Monitor – Container Insights to collect Syslog from Linux nodes in their Azure Kubernetes Service (AKS) clusters. Syslog collection enables customers to monitor security and health events for their containerized workloads. Syslog collection when combined with SIEM systems like Microsoft Sentinel and monitoring tools like Azure Monitor provides comprehensive observability.
Why collect syslog?
Syslog is a popular message logging standard that can be used across a variety of devices like servers, virtual machines, routers, and other devices.
By collecting syslog from AKS nodes, customers get
Improved observability – Syslog is one of the popular ways to collect error logs in Linux. Syslog enables troubleshooting across a wide variety of sources. With Syslog collection available natively in Azure Monitor, your Syslog data is collected using the Azure Monitor Agent and can be easily stored, queried, and visualized using the tools in the Azure Monitor ecosystem.
Unified security - Enterprises commonly use syslog for collecting logs from their on-premise, and IaaS workloads. With syslog collection for AKS, customers can now maintain a common security perimeter across their containerized and IaaS workloads as well as across on-prem and cloud deployments.
How to enable syslog collection
Using the Azure Portal
Navigate to your cluster. Open the Insights tab for your cluster. Open the Monitor Settings panel. Click on Edit collection settings, then check the box for Enable Syslog collection
You can enable syslog collection in multiple ways from the command line.