Manage syslog forwarding for Azure Local

Applies to: Azure Local, version 23H2

This article describes how to configure security events to be forwarded to a customer-managed security information and event management (SIEM) system using syslog protocol for Azure Local, version 23H2.

Use syslog forwarding to integrate with security monitoring solutions and to retrieve relevant security event logs to store them for retention on your own SIEM platform. For more information about security features in this release, see Security features for Azure Local, version 23H2.

Configure syslog forwarding

Syslog forwarding agents are deployed on every Azure Local host by default, ready to be configured. Each of the agents will forward security events in syslog format from the host to the customer-configured syslog server.

Syslog forwarding agents work independently from each other but can be managed all together on any one of the hosts. Use PowerShell cmdlets with administrative privileges on any host to control the behavior of all forwarder agents.

The syslog forwarder in Azure Local supports the following configurations:

  • Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption: In this configuration, both the syslog server and the syslog client verify the identity of each other via certificates. Messages are sent over a TLS encrypted channel. For more information, see Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption.

  • Syslog forwarding with TCP, server authentication, and TLS encryption: In this configuration, the syslog client verifies the identity of the syslog server via a certificate. Messages are sent over a TLS encrypted channel. For more information, see Syslog forwarding with TCP, server authentication, and TLS encryption.

  • Syslog forwarding with TCP and no encryption: In this configuration, the syslog client and syslog server identities aren’t verified. Messages are sent in clear text over TCP. For more information, see Syslog forwarding with TCP and no encryption.

  • Syslog with UDP and no encryption: In this configuration, the syslog client and syslog server identities aren’t verified. Messages are sent in clear text over UDP. For more information, see Syslog forwarding with UDP and no encryption.

    Important

    To protect against man-in-the-middle attacks and eavesdropping of messages, Microsoft strongly recommends that you use TCP with authentication and encryption in production environments. TLS encryption version depends on the handshake between the endpoints. Both, TLS 1.2 and TLS 1.3, are supported by default.

Cmdlets to configure syslog forwarding

Configuring syslog forwarder requires access to the physical host using a domain administrator account. A set of PowerShell cmdlets has been added to all Azure Local hosts to control behavior of the syslog forwarder.

The Set-AzSSyslogForwarder cmdlet is used to set the syslog forwarder configuration for all hosts. If successful, an action plan instance will be started to config the syslog forwarder agents across all hosts. The action plan instance ID will be returned.

Use the following cmdlet to pass the syslog server information to the forwarder and to configure the transport protocol, the encryption, the authentication, and the optional certificate used between the client and the server:

Set-AzSSyslogForwarder [-ServerName <String>] [-ServerPort <UInt16>] [-NoEncryption] [-SkipServerCertificateCheck | -SkipServerCNCheck] [-UseUDP] [-ClientCertificateThumbprint <String>] [-OutputSeverity {Default | Verbose}] [-Remove] 

Cmdlet parameters

The following table provides parameters for the Set-AzSSyslogForwarder cmdlet:

Parameter Description Type Required
ServerName FQDN or IP address of the syslog server. String Yes
ServerPort Port number the syslog server is listening on. UInt16 Yes
NoEncryption Force the client to send syslog messages in clear text. Flag No
SkipServerCertificateCheck Skip validation of the certificate provided by the syslog server during initial TLS handshake. Flag No
SkipServerCNCheck Skip validation of the Common Name value of the certificate provided by the syslog server during initial TLS handshake. Flag No
UseUDP Use syslog with UDP as transport protocol. Flag No
ClientCertificateThumbprint Thumbprint of the client certificate used to communicate with syslog server. String No
OutputSeverity Level of output logging. Values are Default or Verbose. Default includes severity levels: warning, critical, or error. Verbose includes all severity levels: verbose, informational, warning, critical, or error. String No
Remove Remove current syslog forwarder configuration and stop syslog forwarder. Flag No

Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption

In this configuration, the syslog client in Azure Local forwards messages to the syslog server over TCP with TLS encryption. During the initial handshake, the client verifies that the server provides a valid, trusted certificate. The client also provides a certificate to the server as proof of its identity.

This configuration is the most secure as it provides full validation of the identity of both the client and the server, and it sends messages over an encrypted channel.

Important

Microsoft recommends that you use this configuration for production environments.

To configure syslog forwarder with TCP, mutual authentication, and TLS encryption, configure the server and provide certificate to the client to authenticate against the server.

Run the following cmdlet against a physical host:

Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -ClientCertificateThumbprint <Thumbprint of the client certificate>

Important

The client certificate must contain a private key. If the client certificate is signed using a self-signed root certificate, you must import the root certificate as well.

Syslog forwarding with TCP, server authentication, and TLS encryption

In this configuration, the syslog forwarder in Azure Local forwards the messages to the syslog server over TCP with TLS encryption. During the initial handshake, the client also verifies that the server provides a valid, trusted certificate.

This configuration prevents the client from sending messages to untrusted destinations. TCP using authentication and encryption is the default configuration and represents the minimum level of security that Microsoft recommends for a production environment.

Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening>

If you want to test the integration of your syslog server with the Azure Local syslog forwarder by using a self-signed or untrusted certificate, use these flags to skip the server validation done by the client during the initial handshake.

  1. Skip validation of the Common Name value in the server certificate. Use this flag if you provide an IP address for your syslog server.

    Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> 
    -SkipServerCNCheck
    
  2. Skip the server certificate validation.

    Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening>  
    -SkipServerCertificateCheck
    

    Important

    Microsoft recommends that you do not use the -SkipServerCertificateCheck flag in production environments.

Syslog forwarding with TCP and no encryption

In this configuration, the syslog client in Azure Local forwards messages to the syslog server over TCP with no encryption. The client doesn’t verify the identity of the server, nor does it provide its own identity to the server for verification.

Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening on> -NoEncryption

Important

Microsoft recommends that you do not use this configuration in production environments.

Syslog forwarding with UDP and no encryption

In this configuration, the syslog client in Azure Local forwards messages to the syslog server over UDP, with no encryption. The client doesn’t verify the identity of the server, nor does it provide its own identity to the server for verification.

Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -UseUDP

While UDP with no encryption is the easiest to configure, it doesn’t provide any protection against man-in-the-middle attacks or eavesdropping of messages.

Important

Microsoft recommends that you do not use this configuration in production environments.

Enable syslog forwarding

Run the following cmdlet to enable syslog forwarding:

Enable-AzSSyslogForwarder [-Force]

Syslog forwarder will be enabled with the stored configuration provided by the last successful Set-AzSSyslogForwarder call. The cmdlet will fail if no configuration has been provided using Set-AzSSyslogForwarder.

Disable syslog forwarding

Run the following cmdlet to disable syslog forwarding:

Disable-AzSSyslogForwarder [-Force] 

Parameter for Enable-AzSSyslogForwarder and Disable-AzSSyslogForwarder cmdlets:

Parameter Description Type Required
Force If specified, an action plan will always be triggered even if the target state is the same as current. This can be helpful to reset out-of-band changes. Flag No

Verify syslog setup

After you successfully connect the syslog client to your syslog server, you will start to receive event notifications. If you don’t see notifications, verify your cluster syslog forwarder configuration by running the following cmdlet:

Get-AzSSyslogForwarder [-Local | -PerNode | -Cluster] 

Each host has its own syslog forwarder agent that uses a local copy of the cluster configuration. They are always expected to be the same as the cluster configuration. You can verify the current configuration on each host by using the following cmdlet:

Get-AzSSyslogForwarder -PerNode 

You can also use the following cmdlet to verify the configuration on the host you are connected to:

Get-AzSSyslogForwarder -Local

Cmdlet parameters for the Get-AzSSyslogForwarder cmdlet:

Parameter Description Type Required
Local Show currently used configuration on current host. Flag No
PerNode Show currently used configuration on each host. Flag No
Cluster Show current global configuration on Azure Local. This is the default behavior if no parameter is provided. Flag No

Remove syslog forwarding

Run the following command to remove the syslog forwarder configuration and stop the syslog forwarder:

Set-AzSSyslogForwarder -Remove 

Message schema and event log reference

The following reference material documents syslog message schema and event definitions.

The syslog forwarder of the Azure Local infrastructure sends messages formatted following the BSD syslog protocol defined in RFC3164. CEF is also used to format the syslog message payload.

Each syslog message is structured based on this schema: Priority (PRI) | Time | Host | CEF payload |

The PRI part contains two values: facility and severity. Both depend on the type of message, like Windows Event, etc.

Next steps

Learn more about: