Announcing preview: Collect Syslog from your AKS nodes using Container Insights
Published Mar 15 2023 03:00 PM 7,429 Views
Microsoft

Starting today, customers can use Azure Monitor – Container Insights to collect Syslog from Linux nodes in their Azure Kubernetes Service (AKS) clusters. Syslog collection enables customers to monitor security and health events for their containerized workloads. Syslog collection when combined with SIEM systems like Microsoft Sentinel and monitoring tools like Azure Monitor provides comprehensive observability.

Why collect syslog?  

Syslog is a popular message logging standard that can be used across a variety of devices like servers, virtual machines, routers, and other devices.

By collecting syslog from AKS nodes, customers get

  • Improved observability – Syslog is one of the popular ways to collect error logs in Linux. Syslog enables troubleshooting across a wide variety of sources. With Syslog collection available natively in Azure Monitor, your Syslog data is collected using the Azure Monitor Agent and can be easily stored, queried, and visualized using the tools in the Azure Monitor ecosystem.
  • Unified security - Enterprises commonly use syslog for collecting logs from their on-premise, and IaaS workloads. With syslog collection for AKS, customers can now maintain a common security perimeter across their containerized and IaaS workloads as well as across on-prem and cloud deployments.


How to enable syslog collection

Using the Azure Portal

Navigate to your cluster. Open the Insights tab for your cluster. Open the Monitor Settings panel. Click on Edit collection settings, then check the box for Enable Syslog collection

syslog-enable.gif

 

Command Line

You can enable syslog collection in multiple ways from the command line.

Click the links above to access the documentation for each option.

Accessing your syslog data

Workbooks

To get a quick snapshot of your syslog data, customers can use our out-of-box Syslog workbook.

Option 1 - The Reports tab in Container Insights.
Navigate to your cluster. Open the Insights tab for your cluster. Open the Reports tab and look for the Syslog workbook

syslog-workbook-container-insights-reports-tab.gif

 

Option 2 - The Workbooks tab in AKS

Open the Workbooks tab for your cluster and look for the Syslog workbook. See steps here

Log queries

Customers can access syslog records by querying the Syslog table. This is the Syslog table used for VM syslog data as well and existing syslog queries will work. See docs for sample queries. 

SyslogSampleQueryResults.png

 

Next steps

Read more about Syslog and what you can do with it in our documentation aka.ms/CISyslog

Once setup, customers can start sending Syslog data to the tools of their choice


We’re excited for customers to try out this preview. Share your feedback for this feature using the form here: https://forms.office.com/r/BBvCjjDLTS

 

 

 

Co-Authors
Version history
Last update:
‎Mar 14 2023 11:24 AM
Updated by: