How to collect SSH logs from Azure VM and push it to log analytics workspace

Question

I want to store all SSH logs (user logging/logout) to a Log Analytics workspaces

Details of my environment :

VM : OS - Ubuntu 18.04.6 LTS

Connected with exiting Log Analytics workspace

Answer 1

I tried to reproduce the scenario on my end and was able to push VM auth logs to Log Analytics : -

I want to store all SSH logs (user logging/logout) to a Log Analytics
workspaces

I created one Linux VM with OS- Ubuntu 18.04.6 LTS

Azure VM’s login logs are not collected on Azure’s end as that is a
VM’s data plane operation. But you can see VM’s user login details
inside your Linux VM and send these Logs to Log analytics workspace.
the same operation can be done for your on prem local Linux machine.

Check User ssh details in VM by using command :-

last

 lastlog

All these logs are saved in auth.log file in Linux VM inorder to inspect the auth.log file you can run the below command :-

tail -f -n 100 /var/log/auth.log

In order to send this auth.log file to Log analytics workspace, There are 2 methods :-

Method 1) :- With Legacy Log analytics agent -
Go to >
Log analytics workspace > Agents Management >Linux Servers > And run the below given command in the Linux machine to install the Log analytics agent on the Linux VM.

wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <workspace-id> -s <key> -d opinsights.azure.com

Our Linux VM is connected to the Log Analytics Workspace and you can check the logs :-

You can also enable specific syslogs by clicking on
Legacy agent management > syslogs > Add facility and select specific logs from your Linux VM:-

Note- Method 1 utilizes Log analytics agent will be deprecated in
2024, Its recommended to Migrate to Azure Monitor Agent.

Method 2 :- Using Azure Monitor Agent [Recommended] -

1. Azure Monitor Agent can be installed directly from VM left pane > Extensions + applications like below :-

   

2. Another method is via Azure Monitor Agent:- [Recommended]

I created a Data collection rule to collect the required logs from Linux VM to Log analytics Workspace :-

Create an Endpoint > Select Next > Collect and Deliver > Add Data Sources > In Data source type > Select Linux syslog > and select LOG_AUTH > refer below :-

Select Log analytics Workspace in the destination -

Create the Data collection Rule :-

Now, You can enable Azure Monitoring agent by visiting :- Search for Monitor on Azure Portal > Virtual Machines > Select your Virtual Machine > Enable Azure Monitoring agent.

Now, Select Azure Monitor agent > Click Configure:-

Now, Wait for some time for the Auth logs to reflect which has details on the User Log in and Log out :-
Go to:-
Monitor on Azure Portal > Logs > Select syslog table

Your VM Logs will be stored here.

Method 3) [Optional] Use Diagnostics settings
You can enable diagnostics settings and use Azure Monitor agent for Linux to store your VM logs inside a storage account. This method is not recommended if you already have Log analytics in place to avoid duplicate and reduce cost.

Select your Linux VM > Diagnostics settings > Pick one storage account to store your VM logs.

Diagnostics settings will store the auth logs in the selected storage account :-

Click Save.

Reference:-

• Enable VM insights in the Azure portal - Azure Monitor | Microsoft
  Learn
• Collect Syslog data sources with the Log Analytics agent in Azure
  Monitor - Azure Monitor | Microsoft
  Learn