top of page
Nov 83 min read

Source of Logs in Azure(P4:- Virtual Machine Logs) : A Comprehensive Guide for Incident Response

Updated: Nov 10

Lets talk about Fifth category called:

Virtual Machine Logs

Azure provides a range of logging options for virtual machines (VMs) to support monitoring, troubleshooting, and incident response. Here’s an overview of the log types, agents, and configuration options for both Windows and Linux VMs, along with specific considerations for application logs.


Logging Agents

Azure offers several agents for collecting VM logs, each suited to different needs:

  • Monitor Agent : Designed to replace older agents, it supports Data Collection Rules (DCR) for granular log collection .

  • Diagnostic Extension (WAD): Known as Windows Azure Diagnostics, this agent can write data directly to a storage account or an Event Hub. It remains a go-to choice for direct storage integration.


  • Azure Monitor for VMs: Collects performance data and logs across VMs but may require additional configuration for more specialized needs.


For data retention in Azure, understanding which agent best aligns with your storage and monitoring requirements is key.


Configuring Windows Azure Diagnostics (WAD) for Windows VMs

  1. Initial Setup:

    • Navigate to Azure Monitor in the Azure portal.

    • Create a Data Collection Rule (DCR) for specific logs.

  2. Configuration Steps:

    • Diagnostic Settings: Configure diagnostic settings for the VM and select the event logs and levels you want to collect (e.g., system, security, and application logs).

    • Agent Settings: Assign a storage account to store the logs and set a disk quota to manage storage limits.

  3. Types of Logs Collected:

    • Windows Event Logs: Stored in WADWindowsEventLogsTable, which contains OS-level event logs.

    • Application Logs: Capture IIS logs, .NET application traces, and Event Tracing for Windows (ETW) events. ETW provides insights into kernel and application-level events, useful for performance and security monitoring.


  • Accessing Logs:

    • Azure Storage Explorer: Use this tool to navigate to the storage account’s Tables section, access WADWindowsEventLogsTable, and export logs to a .csv file if needed.


Configuring Logging for Linux VMs

  1. Diagnostic Settings:

    • Set diagnostic settings for the Linux VM, similar to the Windows setup.

    • Choose the target storage account for log storage.

  2. Log Options:

    • Metrics: Configure metrics for key system parameters such as CPU, memory, network, file system, and disk usage. These can indicate suspicious activity patterns, such as high CPU usage for crypto mining or elevated disk usage during ransomware incidents.

    • Syslog: Collect system logs stored in auth.log, kern.log, syslog, etc. All logs are combined into a single table, LinuxSyslogVer2v0 in the Azure storage account.

    https://datatracker.ietf.org/doc/html/rfc5424

  3. Accessing Linux Logs:

    • Use Azure Storage Explorer to access LinuxSyslogVer2v0 under the Tables section of the designated storage account.


Application Logging

  • Tracing for .NET and ETW:

    • Application logs generated from .NET applications and ETW (Event Tracing for Windows) capture both system and application performance data.

    • Logs are stored in plaintext, differing from other logs stored in JSON format, and can be accessed via Azure’s storage services.

-------------------------------------------------------------------------------------------------------------

Summary of Log Sources

  • Windows VMs:

    • Windows event logs (WADWindowsEventLogsTable)

    • IIS and application logs, ETW events

  • Linux VMs:

    • System metrics (CPU, memory, etc.)

    • Syslog events (LinuxSyslogVer2v0)

  • Application Logs:

    • .NET tracing output and ETW logs in plaintext

--------------------------------------------------------------------------------------------------------

Key Takeaways

  • Choosing Agents: Decide based on whether storage account integration or advanced data collection rules are required.

  • Logging Setup: Configure storage quotas to avoid excessive costs and log noise.

  • Accessing Logs: Use Azure Storage Explorer for NoSQL table-based logs, which provide structured access to Windows and Linux logs.

------------------------------------------------------------------------------------------------------


Conclusion:

In Azure, securing storage accounts and virtual machines requires vigilant access management, policy-driven logging, and careful monitoring of data access activities. By enabling StorageRead logs and configuring diagnostic agents for VMs, organizations can detect potential data exfiltration and unusual activity. Centralizing logs and applying policies across environments strengthens incident response and supports comprehensive visibility across resources.


Akash Patel


----------------------------------------------------------------------------------------------------------Special Thanks (Iqra)


I would like to extend my heartfelt gratitude to one of my dearest colleagues, a Microsoft Certified Trainer, for her invaluable assistance in creating these articles. Without her support, this would not have been possible. Thank you so much for your time, expertise, and dedication!


-------------------------------------------------------------------------------------------------------------

31 views0 comments

Comments

bottom of page