In my previous post I blogged about how to install the latest version of Azure Stack Development Kit. Release 1.1809.0.90 has a built-in syslog client which I wanted to test. Azure Log Analytics supports syslog messages and therefore I think it is a valid solution to use it with Azure Stack. Sounds very cool in my opinion and since I am a huge fan of the Azure Monitor family members like Azure Log Analytics (ALA) I wanted to try this out. The supported way to send syslog messages to Azure Log Analytics is to deploy a Linux server, install and configure the Azure Log Analytics Agent for Linux to forward the messages to Azure Log Analytics. I will just write about my test setup to play with the Azure Stack feature and is not meant for production environments!
Ok let’s get started! The syslog client in Azure Stack supports the following configurations:
- Syslog over TCP, with mutual authentication (client and server) and TLS 1.2 encryption: In this configuration, both the syslog server and the syslog client can verify the identity of each other via certificates. The messages are sent over a TLS 1.2 encrypted channel.
- Syslog over TCP with server authentication and TLS 1.2 encryption: In this configuration, the syslog client can verify the identity of the syslog server via a certificate. The messages are sent over a TLS 1.2 encrypted channel.
- Syslog over TCP, with no encryption: In this configuration, neither the syslog client nor syslog server verifies the identity of each other. The messages are sent in clear text over TCP.
- Syslog over UDP, with no encryption: In this configuration, neither the syslog client nor syslog server verifies the identity of each other. The messages are sent in clear text over UDP.
I am going for option 3, because this is just a test and I want to get results as quickly as possible. My ASDK deployment is running in an Azure VNet named AzureStack-VNet in which I also deploy an Ubuntu 16.04 LTS virtual machine. Make sure your Linux VM is supported by the Log Analytics Linux agent….
…and the you place it into the proper VNet…
…finally make sure your deployment is successful…
…then we create inbound rules for SSH (port 22) and in my case I created an additional TCP rule on port 25225 for my 10.0.0.0/24 network. The syslog server will listen on TCP port 25225 for syslog traffic…
…next we make sure the server has always assigned the same IP …
…then SSH into the Linux system and install the Linux agent on the server…
sudo su
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh –w [Workspace ID] –s [Workspace Key]
…the output will look like this…
…next we need to configure to listen on the TCP port 25225, edit the syslog.conf file …
vi /etc/opt/microsoft/omsagent/ed13775a-d9f6-4661-972c-0eaa2600695e/conf/omsagent.d/syslog.conf
…like in this screenshot…
…restart the agent and syslog agent…
sudo /opt/microsoft/omsagent/bin/service_control restart
sudo service rsyslog restart
…run Test-NetConnection eg. from the Azure Stack host to see if we can access the TCP port 25225…
From the Azure Stack host login into the AzS-ERC01 using the azurestack\cloudadmin account and then run the Set-SyslogServer command…
$cred = Get-Credential
$session = New-PSSession -ComputerName azs-ercs01 -ConfigurationName PrivilegedEndpoint -Credential $cred
Enter-PSSession -Session $session
Set-SyslogServer -ServerName 10.0.0.6 -ServerPort 25225 –NoEncryption
….the output will show something like this…
In the Log Analytics portal I configure to collect the following facility and severity…
…this will be pushed down to the Linux machine to /etc/rsyslog.d/95-omsagent.conf and the file itself looks like this…
…and of course in the Log Analytics portal we can check the received log entries…
…the Azure Stack syslog client will send plenty of messages to Azure Log Analytics where we are able to play, filter or even visualize the data. Just to make sure, this setup was just to play around with the new Azure Stack feature. In production we would need to setup certificates for the syslog client to securely transmit the data and also for the syslog configuration we would need to adjust the settings to support a reliable TCP connection in case of high volume traffic. In case you need to troubleshoot the Linux agent find the troubleshooting guide here. I hope this post helps testing this new Azure Stack feature, enjoy!
