Tutorial: Forward Syslog data to a Log Analytics workspace with Microsoft Sentinel by using Azure Monitor Agent

In this tutorial, you configure a Linux virtual machine (VM) to forward Syslog data to your workspace by using Azure Monitor Agent. These steps allow you to collect and monitor data from Linux-based devices where you can't install an agent like a firewall network device.

Configure your Linux-based device to send data to a Linux VM. Azure Monitor Agent on the VM forwards the Syslog data to the Log Analytics workspace. Then use Microsoft Sentinel or Azure Monitor to monitor the device from the data stored in the Log Analytics workspace.

In this tutorial, you learn how to:

  • Create a data collection rule.
  • Verify that Azure Monitor Agent is running.
  • Enable log reception on port 514.
  • Verify that Syslog data is forwarded to your Log Analytics workspace.

Prerequisites

To complete the steps in this tutorial, you must have the following resources and roles:

Configure Azure Monitor Agent to collect Syslog data

See the step-by-step instructions in Collect Syslog events with Azure Monitor Agent.

Verify that Azure Monitor Agent is running

In Microsoft Sentinel or Azure Monitor, verify that Azure Monitor Agent is running on your VM.

  1. In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor.

  2. If you're using Microsoft Sentinel, select the appropriate workspace.

  3. Under General, select Logs.

  4. Close the Queries page so that the New Query tab appears.

  5. Run the following query where you replace the computer value with the name of your Linux VM.

    Heartbeat
    | where Computer == "vm-linux"
    | take 10
    

Enable log reception on port 514

Verify that the VM that's collecting the log data allows reception on port 514 TCP or UDP depending on the Syslog source. Then configure the built-in Linux Syslog daemon on the VM to listen for Syslog messages from your devices. After you finish those steps, configure your Linux-based device to send logs to your VM.

Note

If the firewall is running, a rule will need to be created to allow remote systems to reach the daemon's syslog listener: systemctl status firewalld.service

  1. Add for tcp 514 (your zone/port/protocol may differ depending on your scenario) firewall-cmd --zone=public --add-port=514/tcp --permanent
  2. Add for udp 514 (your zone/port/protocol may differ depending on your scenario) firewall-cmd --zone=public --add-port=514/udp --permanent
  3. Restart the firewall service to ensure new rules take effect systemctl restart firewalld.service

The following two sections cover how to add an inbound port rule for an Azure VM and configure the built-in Linux Syslog daemon.

Allow inbound Syslog traffic on the VM

If you're forwarding Syslog data to an Azure VM, follow these steps to allow reception on port 514.

  1. In the Azure portal, search for and select Virtual Machines.

  2. Select the VM.

  3. Under Settings, select Networking.

  4. Select Add inbound port rule.

  5. Enter the following values.

    Field Value
    Destination port ranges 514
    Protocol TCP or UDP depending on Syslog source
    Action Allow
    Name AllowSyslogInbound

    Use the default values for the rest of the fields.

  6. Select Add.

Configure the Linux Syslog daemon

Connect to your Linux VM and configure the Linux Syslog daemon. For example, run the following command, adapting the command as needed for your network environment:

sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python3 Forwarder_AMA_installer.py

This script can make changes for both rsyslog.d and syslog-ng.

Note

To avoid Full Disk scenarios where the agent can't function, we recommend that you set the syslog-ng or rsyslog configuration not to store unneeded logs. A Full Disk scenario disrupts the function of the installed Azure Monitor Agent. Read more about rsyslog or syslog-ng.

Verify Syslog data is forwarded to your Log Analytics workspace

After you configure your Linux-based device to send logs to your VM, verify that Azure Monitor Agent is forwarding Syslog data to your workspace.

  1. In the Azure portal, search for and open Microsoft Sentinel or Azure Monitor.

  2. If you're using Microsoft Sentinel, select the appropriate workspace.

  3. Under General, select Logs.

  4. Close the Queries page so that the New Query tab appears.

  5. Run the following query where you replace the computer value with the name of your Linux VM.

    Syslog
    | where Computer == "vm-linux"
    | summarize by HostName
    

Clean up resources

Evaluate whether you need the resources like the VM that you created. Resources you leave running can cost you money. Delete the resources you don't need individually. You can also delete the resource group to delete all the resources you created.