Starting today, customers can use Azure Monitor – Container Insights to collect Syslog from Linux nodes in their Azure Kubernetes Service (AKS) clusters. Syslog collection enables customers to monitor security and health events for their containerized workloads. Syslog collection when combined with SIEM systems like Microsoft Sentinel and monitoring tools like Azure Monitor provides comprehensive observability.
Why collect syslog?
Syslog is a popular message logging standard that can be used across a variety of devices like servers, virtual machines, routers, and other devices.
By collecting syslog from AKS nodes, customers get
- Improved observability – Syslog is one of the popular ways to collect error logs in Linux. Syslog enables troubleshooting across a wide variety of sources. With Syslog collection available natively in Azure Monitor, your Syslog data is collected using the Azure Monitor Agent and can be easily stored, queried, and visualized using the tools in the Azure Monitor ecosystem.
- Unified security - Enterprises commonly use syslog for collecting logs from their on-premise, and IaaS workloads. With syslog collection for AKS, customers can now maintain a common security perimeter across their containerized and IaaS workloads as well as across on-prem and cloud deployments.
How to enable syslog collection
Using the Azure Portal
Navigate to your cluster. Open the Insights tab for your cluster. Open the Monitor Settings panel. Click on Edit collection settings, then check the box for Enable Syslog collection
Command Line
You can enable syslog collection in multiple ways from the command line.
- Azure CLI commands
- ARM Template (using Azure CLI and PowerShell)
Click the links above to access the documentation for each option.
Accessing your syslog data
Workbooks
To get a quick snapshot of your syslog data, customers can use our out-of-box Syslog workbook.
Option 1 - The Reports tab in Container Insights.
Navigate to your cluster. Open the Insights tab for your cluster. Open the Reports tab and look for the Syslog workbook
Option 2 - The Workbooks tab in AKS
Open the Workbooks tab for your cluster and look for the Syslog workbook. See steps here
Log queries
Customers can access syslog records by querying the Syslog table. This is the Syslog table used for VM syslog data as well and existing syslog queries will work. See docs for sample queries.
Next steps
Read more about Syslog and what you can do with it in our documentation aka.ms/CISyslog
- You can customize the syslog facilities and severity levels you want to log here: https://aka.ms/CISyslog#editing-your-syslog-collection-settings
Once setup, customers can start sending Syslog data to the tools of their choice
- Send Syslog to Microsoft Sentinel: https://learn.microsoft.com/en-us/azure/sentinel/connect-syslog
- Export data from Log Analytics: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal
We’re excited for customers to try out this preview. Share your feedback for this feature using the form here: https://forms.office.com/r/BBvCjjDLTS