Special thanks to Jorge, Manny, and Alex!
What is Log Analytics
Log Analytics is a SaaS offering from Microsoft that helps you collect and report against data generated by resources in Azure or from your on-premises environment. It is a very powerful tool can hold and analyze millions of records using the Kusto query language.
Workspace
Log Analytics is a tool in the Azure portal that’s used to edit and run log queries with data in Azure Monitor Logs.
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services, such as Microsoft Sentinel and Microsoft Defender for Cloud. Each workspace has its own data repository and configuration but might combine data from multiple services.
Log Forwarder
To ingest Syslog into Log Analytics from Aviatrix appliances, which you can’t install the Log Analytics agent directly as of today, you’ll need to use a Linux machine that will collect the logs from the controller and gateways and forward them to Microsoft Log Analytics workspace. This machine has two components that take part in this process:
- A syslog daemon
- The Log Analytics Agent (also known as the OMS Agent)
Linux Deployment
I’m going to use an Ubuntu running 20.04 LTS on top of a X64:
NSG configuration:
- create an inbound security rule allowing AVX Controller and Gateways to access the VM on tcp port 514
Agent Installation
We use the Data Collection Rules to install the Azure Monitor Agent:
Checking the Log Forwarder agent:
Syslog Reception
Edit /etc/rsyslog.conf and remove comments from the following lines to enable rsyslog to work as a server:
module(load="imtcp")
input(type="imtcp" port="514")Do not forget to restart the rsyslog daemon after the changes:
sudo service rsyslog restartAviatrix Configuration
The rsyslog configuration is done under Settings -> Logging -> Remote Syslog:
Testing
I ran a query to list 10 syslog events to test the configuration:
Sweet, now that we just need to deal with the 15 minutes of ingestion delays 😀