Azure Sentinel Syslog Workbook

I recently took a look at the Azure Sentinel Syslog Workbook, called Linux Machines. This workbook is not great, its essentially a dashboard. For me the power of Workbooks in both Azure Monitor and Azure Sentinel is hunting, whether you’re hunting threats or operational issues with your infrastructure or applications.

Workbook Resources

If this is your first time finding my blog, I’m a big fan of workbooks and I have a number of resources for workbooks.

Training:

Ready to use Workbooks:

If you want the TLDR the github for the syslog workbook is here, as are all my other workbooks.

Current Syslog Workbook

First I want to go over why I think the existing workbook is not a good workbook.

Azure Sentinel Syslog Workbook

When you open the workbook you are presented with this, a summary count of Syslog messages by Severity Level. But then beneath that are 3 more summary counts by machine, that don’t disappear if there’s no data, so its just wasted space.

Followed by Events beneath it. Judging by the preview presented in Sentinel this field looks like it should have a list of Syslog messages, but nothing is there. This is probably an error in the query that needs to get fixed, because I clearly have events, as evidenced by the top summary count.

Azure Sentinel Syslog Workbook

then finally, beneath that we have 3 pie charts and a bar chart. None of which provides the ability to drill down into events, its all just summary counts. This is essentially a dashboard and could have easily been done in an Azure Dashboard. It doesn’t really utilize any of the best parts of workbooks.

This is not the first Sentinel workbook that’s like this either. The Azure Activity log workbook is the same way and pales in comparison to the one put out by the Azure Monitor team. The one put out by the Azure Monitor team allows you to sort events and drill down into them by a number of different fields. Other great example workbooks put out by Azure teams, are the Key Vault Insights dashboard, Storage Insights, and I especially like the Azure Backup Explorer Workbook.

 

Community Azure Sentinel Syslog Workbook

So I present to you my community Syslog workbook. I modeled it after my Windows Event Log workbook to have a consistent look and feel. For sure you could modify it in any way you want. Also, like my Event Log Workbook, its entirely dynamic. Meaning if you select 1 HostName, you will only see Facility’s and SeverityLevel events from that one HostName.

This workbook will work with Azure Monitor and Azure Sentinel. Syslog has been something you could collect with Log Analyitcs long before Sentinel came around.

The top provides a breakdown of logs by SeverityLevel, not unlike the Sentinel provided one, however I’ve included a trendline and thresholds with icons. Beneath that we have count and trend line by Facility type grouped by HostName.

and then we have list of events with the same icon thresholds and View Details to open up the side blade for the complete log.

Here is an output video of it in action.

 

If you’ve actually made it this far, here is the github link again so you don’t have to scroll up.

Leave a Comment