Syslog data can help you monitor security and health of your AKS workloads. By sending Syslog data to Sentinel, you can use its cloud native SIEM features to detect and respond to threats, investigate incidents, and create dashboards and reports for your Kubernetes workloads.
Benefits of Host Logs
With host Syslog, you can monitor security and health events for your AKS workloads using Azure Monitor – Container Insights, which collects and analyzes Syslog data from Linux nodes in a centralized and standardized way. This can help you reduce alerts, downtime, and breaches, troubleshoot issues, and track historical changes in your K8S workloads.
How to send AKS Syslog data to Sentinel
Azure Monitor – Container Insights now allows you to collect Syslog from your AKS clusters. This data is sent to a Log Analytics workspace and written to the existing Syslog table. Because the data is sent to the existing Syslog table, it works with Sentinel automatically. You just need to set a Sentinel workspace as your destination.
NOTE: We are currently working with the Sentinel team on the design of a new dedicated Syslog connector, which will make it even easier to ingest and analyze Syslog data from your AKS clusters. We will share more information about this connector soon. In the meantime, you can use the following process to get the most out of Syslog and Sentinel for your K8S workloads.
Analyzing Syslog data in Sentinel
Once enabled, you can use any of the following Sentinel capabilities to analyze Syslog data.