Home > OS >  How to collect SSH logs from Azure VM and push it to log analytics workspace
How to collect SSH logs from Azure VM and push it to log analytics workspace

Time:01-10

I want to store all SSH logs (user logging/logout) to a Log Analytics workspaces

Details of my environment :

VM : OS - Ubuntu 18.04.6 LTS

Connected with exiting Log Analytics workspace

CodePudding user response:

I tried to reproduce the scenario on my end and was able to push VM auth logs to Log Analytics : -

I want to store all SSH logs (user logging/logout) to a Log Analytics
workspaces

I created one Linux VM with OS- Ubuntu 18.04.6 LTS

Azure VM’s login logs are not collected on Azure’s end as that is a
VM’s data plane operation. But you can see VM’s user login details
inside your Linux VM and send these Logs to Log analytics workspace.
the same operation can be done for your on prem local Linux machine.

Check User ssh details in VM by using command :-

last

enter image description here

 lastlog

enter image description here

All these logs are saved in auth.log file in Linux VM inorder to inspect the auth.log file you can run the below command :-

tail -f -n 100 /var/log/auth.log

In order to send this auth.log file to Log analytics workspace, There are 2 methods :-

Method 1) :- With Legacy Log analytics agent -
Go to >
Log analytics workspace > Agents Management >Linux Servers > And run the below given command in the Linux machine to install the Log analytics agent on the Linux VM.

wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <workspace-id> -s <key> -d opinsights.azure.com

enter image description here

Our Linux VM is connected to the Log Analytics Workspace and you can check the logs :-

enter image description here

You can also enable specific syslogs by clicking on
Legacy agent management > syslogs > Add facility and select specific logs from your Linux VM:-

enter image description here

Note- Method 1 utilizes Log analytics agent will be deprecated in
2024, Its recommended to Migrate to Azure Monitor Agent.

Method 2 :- Using Azure Monitor Agent [Recommended] -

  1. Azure Monitor Agent can be installed directly from VM left pane > Extensions applications like below :-

    enter image description here

  2. Another method is via Azure Monitor Agent:- [Recommended]

I created a Data collection rule to collect the required logs from Linux VM to Log analytics Workspace :-

enter image description here

Create an Endpoint > Select Next > Collect and Deliver > Add Data Sources > In Data source type > Select Linux syslog > and select LOG_AUTH > refer below :-

enter image description here

Select Log analytics Workspace in the destination -

enter image description here

Create the Data collection Rule :-

enter image description here

Now, You can enable Azure Monitoring agent by visiting :- Search for Monitor on Azure Portal > Virtual Machines > Select your Virtual Machine > Enable Azure Monitoring agent.

enter image description here

Now, Select Azure Monitor agent > Click Configure:-

enter image description here

Now, Wait for some time for the Auth logs to reflect which has details on the User Log in and Log out :-
Go to:-
Monitor on Azure Portal > Logs > Select syslog table

enter image description here

Your VM Logs will be stored here.

Method 3) [Optional] Use Diagnostics settings
You can enable diagnostics settings and use Azure Monitor agent for Linux to store your VM logs inside a storage account. This method is not recommended if you already have Log analytics in place to avoid duplicate and reduce cost.

Select your Linux VM > Diagnostics settings > Pick one storage account to store your VM logs.

enter image description here

Diagnostics settings will store the auth logs in the selected storage account :-

enter image description here

Click Save.

Reference:-

  • Related