Manage syslog forwarding for Azure Local
Applies to: Azure Local, version 23H2
This article describes how to configure security events to be forwarded to a customer-managed security information and event management (SIEM) system using syslog protocol for Azure Local, version 23H2.
Use syslog forwarding to integrate with security monitoring solutions and to retrieve relevant security event logs to store them for retention on your own SIEM platform. For more information about security features in this release, see Security features for Azure Local, version 23H2.
Configure syslog forwarding
Syslog forwarding agents are deployed on every Azure Local host by default, ready to be configured. Each of the agents will forward security events in syslog format from the host to the customer-configured syslog server.
Syslog forwarding agents work independently from each other but can be managed all together on any one of the hosts. Use PowerShell cmdlets with administrative privileges on any host to control the behavior of all forwarder agents.
The syslog forwarder in Azure Local supports the following configurations:
Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption: In this configuration, both the syslog server and the syslog client verify the identity of each other via certificates. Messages are sent over a TLS encrypted channel. For more information, see Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption.
Syslog forwarding with TCP, server authentication, and TLS encryption: In this configuration, the syslog client verifies the identity of the syslog server via a certificate. Messages are sent over a TLS encrypted channel. For more information, see Syslog forwarding with TCP, server authentication, and TLS encryption.
Syslog forwarding with TCP and no encryption: In this configuration, the syslog client and syslog server identities aren’t verified. Messages are sent in clear text over TCP. For more information, see Syslog forwarding with TCP and no encryption.
Syslog with UDP and no encryption: In this configuration, the syslog client and syslog server identities aren’t verified. Messages are sent in clear text over UDP. For more information, see Syslog forwarding with UDP and no encryption.
Important
To protect against man-in-the-middle attacks and eavesdropping of messages, Microsoft strongly recommends that you use TCP with authentication and encryption in production environments. TLS encryption version depends on the handshake between the endpoints. Both, TLS 1.2 and TLS 1.3, are supported by default.
Cmdlets to configure syslog forwarding
Configuring syslog forwarder requires access to the physical host using a domain administrator account. A set of PowerShell cmdlets has been added to all Azure Local hosts to control behavior of the syslog forwarder.
The Set-AzSSyslogForwarder
cmdlet is used to set the syslog forwarder configuration for all hosts. If successful, an action plan instance will be started to config the syslog forwarder agents across all hosts. The action plan instance ID will be returned.
Use the following cmdlet to pass the syslog server information to the forwarder and to configure the transport protocol, the encryption, the authentication, and the optional certificate used between the client and the server:
Set-AzSSyslogForwarder [-ServerName <String>] [-ServerPort <UInt16>] [-NoEncryption] [-SkipServerCertificateCheck | -SkipServerCNCheck] [-UseUDP] [-ClientCertificateThumbprint <String>] [-OutputSeverity {Default | Verbose}] [-Remove]
Cmdlet parameters
The following table provides parameters for the Set-AzSSyslogForwarder
cmdlet:
Parameter | Description | Type | Required |
---|---|---|---|
ServerName | FQDN or IP address of the syslog server. | String | Yes |
ServerPort | Port number the syslog server is listening on. | UInt16 | Yes |
NoEncryption | Force the client to send syslog messages in clear text. | Flag | No |
SkipServerCertificateCheck | Skip validation of the certificate provided by the syslog server during initial TLS handshake. | Flag | No |
SkipServerCNCheck | Skip validation of the Common Name value of the certificate provided by the syslog server during initial TLS handshake. | Flag | No |
UseUDP | Use syslog with UDP as transport protocol. | Flag | No |
ClientCertificateThumbprint | Thumbprint of the client certificate used to communicate with syslog server. | String | No |
OutputSeverity | Level of output logging. Values are Default or Verbose. Default includes severity levels: warning, critical, or error. Verbose includes all severity levels: verbose, informational, warning, critical, or error. | String | No |
Remove | Remove current syslog forwarder configuration and stop syslog forwarder. | Flag | No |
Syslog forwarding with TCP, mutual authentication (client and server), and TLS encryption
In this configuration, the syslog client in Azure Local forwards messages to the syslog server over TCP with TLS encryption. During the initial handshake, the client verifies that the server provides a valid, trusted certificate. The client also provides a certificate to the server as proof of its identity.
This configuration is the most secure as it provides full validation of the identity of both the client and the server, and it sends messages over an encrypted channel.
Important
Microsoft recommends that you use this configuration for production environments.
To configure syslog forwarder with TCP, mutual authentication, and TLS encryption, configure the server and provide certificate to the client to authenticate against the server.
Run the following cmdlet against a physical host:
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -ClientCertificateThumbprint <Thumbprint of the client certificate>
Important
The client certificate must contain a private key. If the client certificate is signed using a self-signed root certificate, you must import the root certificate as well.
Syslog forwarding with TCP, server authentication, and TLS encryption
In this configuration, the syslog forwarder in Azure Local forwards the messages to the syslog server over TCP with TLS encryption. During the initial handshake, the client also verifies that the server provides a valid, trusted certificate.
This configuration prevents the client from sending messages to untrusted destinations. TCP using authentication and encryption is the default configuration and represents the minimum level of security that Microsoft recommends for a production environment.
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening>
If you want to test the integration of your syslog server with the Azure Local syslog forwarder by using a self-signed or untrusted certificate, use these flags to skip the server validation done by the client during the initial handshake.
Skip validation of the Common Name value in the server certificate. Use this flag if you provide an IP address for your syslog server.
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -SkipServerCNCheck
Skip the server certificate validation.
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -SkipServerCertificateCheck
Important
Microsoft recommends that you do not use the
-SkipServerCertificateCheck
flag in production environments.
Syslog forwarding with TCP and no encryption
In this configuration, the syslog client in Azure Local forwards messages to the syslog server over TCP with no encryption. The client doesn’t verify the identity of the server, nor does it provide its own identity to the server for verification.
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening on> -NoEncryption
Important
Microsoft recommends that you do not use this configuration in production environments.
Syslog forwarding with UDP and no encryption
In this configuration, the syslog client in Azure Local forwards messages to the syslog server over UDP, with no encryption. The client doesn’t verify the identity of the server, nor does it provide its own identity to the server for verification.
Set-AzSSyslogForwarder -ServerName <FQDN or IP address of syslog server> -ServerPort <Port number on which the syslog server is listening> -UseUDP
While UDP with no encryption is the easiest to configure, it doesn’t provide any protection against man-in-the-middle attacks or eavesdropping of messages.
Important
Microsoft recommends that you do not use this configuration in production environments.
Enable syslog forwarding
Run the following cmdlet to enable syslog forwarding:
Enable-AzSSyslogForwarder [-Force]
Syslog forwarder will be enabled with the stored configuration provided by the last successful Set-AzSSyslogForwarder
call. The cmdlet will fail if no configuration has been provided using Set-AzSSyslogForwarder
.
Disable syslog forwarding
Run the following cmdlet to disable syslog forwarding:
Disable-AzSSyslogForwarder [-Force]
Parameter for Enable-AzSSyslogForwarder
and Disable-AzSSyslogForwarder
cmdlets:
Parameter | Description | Type | Required |
---|---|---|---|
Force | If specified, an action plan will always be triggered even if the target state is the same as current. This can be helpful to reset out-of-band changes. | Flag | No |
Verify syslog setup
After you successfully connect the syslog client to your syslog server, you will start to receive event notifications. If you don’t see notifications, verify your cluster syslog forwarder configuration by running the following cmdlet:
Get-AzSSyslogForwarder [-Local | -PerNode | -Cluster]
Each host has its own syslog forwarder agent that uses a local copy of the cluster configuration. They are always expected to be the same as the cluster configuration. You can verify the current configuration on each host by using the following cmdlet:
Get-AzSSyslogForwarder -PerNode
You can also use the following cmdlet to verify the configuration on the host you are connected to:
Get-AzSSyslogForwarder -Local
Cmdlet parameters for the Get-AzSSyslogForwarder
cmdlet:
Parameter | Description | Type | Required |
---|---|---|---|
Local | Show currently used configuration on current host. | Flag | No |
PerNode | Show currently used configuration on each host. | Flag | No |
Cluster | Show current global configuration on Azure Local. This is the default behavior if no parameter is provided. | Flag | No |
Remove syslog forwarding
Run the following command to remove the syslog forwarder configuration and stop the syslog forwarder:
Set-AzSSyslogForwarder -Remove
Message schema and event log reference
The following reference material documents syslog message schema and event definitions.
- Syslog message schema
- Common Event format payload schema/definitions
- Windows event mapping and examples
- Miscellaneous events
The syslog forwarder of the Azure Local infrastructure sends messages formatted following the BSD syslog protocol defined in RFC3164. CEF is also used to format the syslog message payload.
Each syslog message is structured based on this schema: Priority (PRI) | Time | Host | CEF payload |
The PRI part contains two values: facility and severity. Both depend on the type of message, like Windows Event, etc.
Next steps
Learn more about: