Monitor AKS cluster security using Syslog and Microsoft Sentinel

Microsoft

Jul 14, 2023

Syslog is one of the critical logging components for monitoring security in Kubernetes (K8S) workloads. We recently launched the ability to collect Syslog from AKS clusters using Azure Monitor – Container Insights. In this blog post, we discuss how Azure customers can use Microsoft Sentinel to ingest and analyze the Syslog data from their AKS clusters.

Why send Syslog data to Sentinel

Syslog data can help you monitor security and health of your AKS workloads. By sending Syslog data to Sentinel, you can use its cloud native SIEM features to detect and respond to threats, investigate incidents, and create dashboards and reports for your Kubernetes workloads.

Benefits of Host Logs

With host Syslog, you can monitor security and health events for your AKS workloads using Azure Monitor – Container Insights, which collects and analyzes Syslog data from Linux nodes in a centralized and standardized way. This can help you reduce alerts, downtime, and breaches, troubleshoot issues, and track historical changes in your K8S workloads.

How to send AKS Syslog data to Sentinel

Azure Monitor – Container Insights now allows you to collect Syslog from your AKS clusters. This data is sent to a Log Analytics workspace and written to the existing Syslog table. Because the data is sent to the existing Syslog table, it works with Sentinel automatically. You just need to set a Sentinel workspace as your destination.

Pre-requisite: Customers must onboard to Microsoft Sentinel and have Sentinel workspace ready.
First, Enable Syslog collection on your AKS cluster using Container Insights
- Note: You must provide a Sentinel workspace while enabling Container Insights.
- Container Insights enables Syslog collection for your AKS nodes by installing its AKS add-on and agents

Once Syslog collection is enabled, you can also customize it by going here: https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-syslog#editing-your-syslog-collection-settings
That’s it!

NOTE: We are currently working with the Sentinel team on the design of a new dedicated Syslog connector, which will make it even easier to ingest and analyze Syslog data from your AKS clusters. We will share more information about this connector soon. In the meantime, you can use the following process to get the most out of Syslog and Sentinel for your K8S workloads.

Analyzing Syslog data in Sentinel

Once enabled, you can use any of the following Sentinel capabilities to analyze Syslog data.

Option 1 - Use the Overview dashboard to understand your overall data
Option 2 - Use the built-in Syslog overview workbook template
- Go to Microsoft Sentinel > Click on the “Workbooks” item in the left menu > Search for “Syslog” in the search bar

Option 3 – Use the hunting queries from Sentinel
- Go to Microsoft Sentinel > Click on the “Hunting” item in the left menu > Search for “Syslog” in the search bar to find relevant queries.
- Select a Query and click on “View Results”
- In the below screenshot, we have selected the query for “Rare process running on a Linux host”
- Learn more about hunting for threats in the docs

Option 4 – Query the Syslog table
- Go to Microsoft Sentinel > Click on the “Logs” item in the left menu. Here you search for “Syslog” flyout or just dismiss it and use existing Syslog queries.