Tutorial: Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent
In this tutorial, you configure a Linux virtual machine (VM) to forward Syslog data to your workspace by using Azure Monitor Agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.
Note
Container Insights now supports the automatic collection of Syslog events from Linux nodes in your AKS clusters. To learn more, see Syslog collection with Container Insights.
Configure your Linux-based device to send data to a Linux VM. Azure Monitor Agent on the VM forwards the Syslog data to the Log Analytics workspace. Then use Microsoft Sentinel or Azure Monitor to monitor the device from the data stored in the Log Analytics workspace.
In this tutorial, you learn how to:
- Create a data collection rule.
- Verify that Azure Monitor Agent is running.
- Enable log reception on port 514.
- Verify that Syslog data is forwarded to your Log Analytics workspace.
To complete the steps in this tutorial, you must have the following resources and roles:
An Azure account with an active subscription. Create an account for free.
An Azure account with the following roles to deploy the agent and create the data collection rules.
Built-in role Scope Reason - Virtual Machine Contributor
- Azure Connected Machine Resource Administrator- Virtual machines
- Scale sets
- Azure Arc-enabled serversTo deploy the agent Any role that includes the action Microsoft.Resources/deployments/* - Subscription
- Resource group
- Existing data collection ruleTo deploy Azure Resource Manager templates Monitoring Contributor - Subscription
- Resource group
- Existing data collection ruleTo create or edit data collection rules A Log Analytics workspace.
A Linux server that's running an operating system that supports Azure Monitor Agent.
A Linux-based device that generates event log data like a firewall network device.
See the step-by-step instructions in Collect Syslog events with Azure Monitor Agent.
In Microsoft Sentinel or Azure Monitor, verify that Azure Monitor Agent is running on your VM.
In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor.
If you're using Microsoft Sentinel, select the appropriate workspace.
Under General, select Logs.
Close the Queries page so that the New Query tab appears.
Run the following query where you replace the computer value with the name of your Linux VM.
Heartbeat | where Computer == "vm-linux" | take 10
Verify that the VM that's collecting the log data allows reception on port 514 TCP or UDP depending on the Syslog source. Then configure the built-in Linux Syslog daemon on the VM to listen for Syslog messages from your devices. After you finish those steps, configure your Linux-based device to send logs to your VM.
Note
If the firewall is running, a rule will need to be created to allow remote systems to reach the daemon’s syslog listener: systemctl status firewalld.service
- Add for tcp 514 (your zone/port/protocol may differ depending on your scenario)
firewall-cmd --zone=public --add-port=514/tcp --permanent
- Add for udp 514 (your zone/port/protocol may differ depending on your scenario)
firewall-cmd --zone=public --add-port=514/udp --permanent
- Restart the firewall service to ensure new rules take effect
systemctl restart firewalld.service
The following two sections cover how to add an inbound port rule for an Azure VM and configure the built-in Linux Syslog daemon.
If you're forwarding Syslog data to an Azure VM, follow these steps to allow reception on port 514.
In the Azure portal, search for and select Virtual Machines.
Select the VM.
Under Settings, select Networking.
Select Add inbound port rule.
Enter the following values.
Field Value Destination port ranges 514 Protocol TCP or UDP depending on Syslog source Action Allow Name AllowSyslogInbound Use the default values for the rest of the fields.
Select Add.
Connect to your Linux VM and configure the Linux Syslog daemon. For example, run the following command, adapting the command as needed for your network environment:
sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py
This script can make changes for both rsyslog.d and syslog-ng.
Note
To avoid Full Disk scenarios where the agent can't function, we recommend that you set the syslog-ng
or rsyslog
configuration not to store unneeded logs. A Full Disk scenario disrupts the function of the installed Azure Monitor Agent.
Read more about rsyslog or syslog-ng.
After you configure your Linux-based device to send logs to your VM, verify that Azure Monitor Agent is forwarding Syslog data to your workspace.
In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor.
If you're using Microsoft Sentinel, select the appropriate workspace.
Under General, select Logs.
Close the Queries page so that the New Query tab appears.
Run the following query where you replace the computer value with the name of your Linux VM.
Syslog | where Computer == "vm-linux" | summarize by HostName
Evaluate whether you need the resources like the VM that you created. Resources you leave running can cost you money. Delete the resources you don't need individually. You can also delete the resource group to delete all the resources you created.