Monitor AKS cluster security using Syslog and Microsoft Sentinel
Published Jul 14 2023 09:15 AM 2,568 Views

Syslog is one of the critical logging components for monitoring security in Kubernetes (K8S) workloads. We recently launched the ability to collect Syslog from AKS clusters using Azure Monitor – Container Insights. In this blog post, we discuss how Azure customers can use Microsoft Sentinel to ingest and analyze the Syslog data from their AKS clusters.  


Why send Syslog data to Sentinel 

Syslog data can help you monitor security and health of your AKS workloads. By sending Syslog data to Sentinel, you can use its cloud native SIEM features to detect and respond to threats, investigate incidents, and create dashboards and reports for your Kubernetes workloads. 

Benefits of Host Logs 
  • With host Syslog, you can monitor security and health events for your AKS workloads using Azure Monitor – Container Insights, which collects and analyzes Syslog data from Linux nodes in a centralized and standardized way. This can help you reduce alerts, downtime, and breaches, troubleshoot issues, and track historical changes in your K8S workloads. 


How to send AKS Syslog data to Sentinel 

Azure Monitor – Container Insights now allows you to collect Syslog from your AKS clusters. This data is sent to a Log Analytics workspace and written to the existing Syslog table. Because the data is sent to the existing Syslog table, it works with Sentinel automatically. You just need to set a Sentinel workspace as your destination.  


NOTE: We are currently working with the Sentinel team on the design of a new dedicated Syslog connector, which will make it even easier to ingest and analyze Syslog data from your AKS clusters. We will share more information about this connector soon. In the meantime, you can use the following process to get the most out of Syslog and Sentinel for your K8S workloads. 


Analyzing Syslog data in Sentinel 

Once enabled, you can use any of the following Sentinel capabilities to analyze Syslog data. 

  • Option 1 - Use the Overview dashboard to understand your overall data 
  • Option 2 - Use the built-in Syslog overview workbook template 
    • Go to Microsoft Sentinel > Click on the “Workbooks” item in the left menu > Search for “Syslog” in the search bar  
    • ibraraslam_1-1689286765075.png


  • Option 3 – Use the hunting queries from Sentinel 
    • Go to Microsoft Sentinel > Click on the “Hunting” item in the left menu > Search for “Syslog” in the search bar to find relevant queries.  
    • Select a Query and click on “View Results” 
    • In the below screenshot, we have selected the query for “Rare process running on a Linux host 
    • ibraraslam_2-1689286765079.png
    • Learn more about hunting for threats in the docs 
  • Option 4 – Query the Syslog table 
    • Go to Microsoft Sentinel > Click on the “Logs” item in the left menu. Here you search for “Syslog” flyout or just dismiss it and use existing Syslog queries. 
    • ibraraslam_3-1689286765080.png

Hope you find this useful, please reach out if you have any questions! 

Version history
Last update:
‎Jul 19 2023 03:18 PM
Updated by: