Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this tutorial, you configure a Linux virtual machine (VM) to forward Syslog data to your workspace by using Azure Monitor Agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.
Note
Container Insights now supports the automatic collection of Syslog events from Linux nodes in your AKS clusters. To learn more, see Syslog collection with Container Insights.
Configure your Linux-based device to send data to a Linux VM. Azure Monitor Agent on the VM forwards the Syslog data to the Log Analytics workspace. Then use Microsoft Sentinel or Azure Monitor to monitor the device from the data stored in the Log Analytics workspace.
In this tutorial, you learn how to:
- Create a data collection rule.
- Verify that Azure Monitor Agent is running.
- Enable log reception on port 514.
- Verify that Syslog data is forwarded to your Log Analytics workspace.
Prerequisites
To complete the steps in this tutorial, you must have the following resources and roles:
- An Azure account with an active subscription. Create an account for free. 
- An Azure account with the following roles to deploy the agent and create the data collection rules. - Built-in role - Scope - Reason - - Virtual Machine Contributor 
 - Azure Connected Machine Resource Administrator- - Virtual machines 
 - Scale sets
 - Azure Arc-enabled servers- To deploy the agent - Any role that includes the action Microsoft.Resources/deployments/* - - Subscription 
 - Resource group
 - Existing data collection rule- To deploy Azure Resource Manager templates - Monitoring Contributor - - Subscription 
 - Resource group
 - Existing data collection rule- To create or edit data collection rules 
- A Log Analytics workspace. 
- A Linux server that's running an operating system that supports Azure Monitor Agent. 
- A Linux-based device that generates event log data like a firewall network device. 
Create the DCR and add resources
To create the DCR and add resources, follow the steps in these articles:
Configure Syslog data source
On the Collect and deliver tab of the DCR, select Linux Syslog from the Data source type dropdown.
Select a Minimum log level for each facility or NONE to collect no events for that facility. You can configure multiple facilities at once by selecting their checkbox and then selecting a log level in Set minimum log level for selected facilities.
All logs with the selected severity level and higher are collected for the facility. The supported severity levels and their relative severity are as follows:
- Debug
- Info
- Notice
- Warning
- Error
- Critical
- Alert
- Emergency
Add destinations
Syslog data can only be sent to a Log Analytics workspace where it's stored in the Syslog table. Add a destination of type Azure Monitor Logs and select a Log Analytics workspace. While you can add multiple workspaces, be aware that this will send duplicate data to each which will result in additional cost.
Verify data collection
To verify that data is being collected, check for records in the Syslog table. From the virtual machine or from the Log Analytics workspace in the Azure portal, select Logs and then click the Tables button. Under the Virtual machines category, click Run next to Syslog.
For the full procedure of configuring Syslog data collection, see Collect Syslog events with Azure Monitor Agent.
Verify that Azure Monitor Agent is running
In Microsoft Sentinel or Azure Monitor, verify that Azure Monitor Agent is running on your VM.
- In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor. 
- If you're using Microsoft Sentinel, select the appropriate workspace. 
- Under General, select Logs. 
- Close the Queries page so that the New Query tab appears. 
- Run the following query where you replace the computer value with the name of your Linux VM. - Heartbeat | where Computer == "vm-linux" | take 10
Enable log reception on port 514
Verify that the VM that's collecting the log data allows reception on port 514 TCP or UDP depending on the Syslog source. Then configure the built-in Linux Syslog daemon on the VM to listen for Syslog messages from your devices. After you finish those steps, configure your Linux-based device to send logs to your VM.
Note
If the firewall is running, a rule will need to be created to allow remote systems to reach the daemon’s syslog listener: systemctl status firewalld.service
- Add for tcp 514 (your zone/port/protocol may differ depending on your scenario)
firewall-cmd --zone=public --add-port=514/tcp --permanent
- Add for udp 514 (your zone/port/protocol may differ depending on your scenario)
firewall-cmd --zone=public --add-port=514/udp --permanent
- Restart the firewall service to ensure new rules take effect
systemctl restart firewalld.service
The following two sections cover how to add an inbound port rule for an Azure VM and configure the built-in Linux Syslog daemon.
Allow inbound Syslog traffic on the VM
If you're forwarding Syslog data to an Azure VM, follow these steps to allow reception on port 514.
- In the Azure portal, search for and select Virtual Machines. 
- Select the VM. 
- Under Settings, select Networking. 
- Select Add inbound port rule. 
- Enter the following values. - Field - Value - Destination port ranges - 514 - Protocol - TCP or UDP depending on Syslog source - Action - Allow - Name - AllowSyslogInbound - Use the default values for the rest of the fields. 
- Select Add. 
Configure the Linux Syslog daemon
Connect to your Linux VM and configure the Linux Syslog daemon. For example, run the following command, adapting the command as needed for your network environment:
sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py
This script can make changes for both rsyslog.d and syslog-ng.
Note
To avoid Full Disk scenarios where the agent can't function, you must set the syslog-ng or rsyslog configuration to not store logs, which are not needed by the agent. A Full Disk scenario disrupts the function of the installed Azure Monitor Agent.
Read more about rsyslog or syslog-ng.
Verify Syslog data is forwarded to your Log Analytics workspace
After you configure your Linux-based device to send logs to your VM, verify that Azure Monitor Agent is forwarding Syslog data to your workspace.
- In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor. 
- If you're using Microsoft Sentinel, select the appropriate workspace. 
- Under General, select Logs. 
- Close the Queries page so that the New Query tab appears. 
- Run the following query where you replace the computer value with the name of your Linux VM. - Syslog | where Computer == "vm-linux" | summarize by HostName
Clean up resources
Evaluate whether you need the resources like the VM that you created. Resources you leave running can cost you money. Delete the resources you don't need individually. You can also delete the resource group to delete all the resources you created.
 
 
