Windows Service of Syslog listener to send the messages to Azure Monitor
Visual Studio (C#)
.NET Framework 4.7.2
Windows Service
Open the solution (SyslogAzureMonitorBridge.sln) w/ Visual Studio.
Then Build as Release.
To distibute this program, copy the Release folder and paste it to a target windows PC.
Open command prompt Administrator mode. Then exec below command.
sc create SyslogAzureMonitorBridge binpath=<full path name of the SyslogAzureMonitorBridge.exe>
Open windows registry editor (regedit.exe) and find below folder
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SyslogAzureMonitorBridge
Then add command parameter to the ImagePath setting.
| Parameter | Description | Example | Remarks |
|---|---|---|---|
| /n= | Table name | Syslog | Actual name in Azure Log Analytics will be "<Table name>_CL" |
| /p= | Port Number of syslog listener | 514 | It is necessary to open inbound UDP access with firewall |
| /w= | Workspace ID | Copy it from Azure Log Analytics screen. See detail below. | |
| /k= | Key | Copy from the same screen of Workspace ID |
A sample setting of ImagePath in Windows Registry.
C:\MyApps\Release\SyslogAzureMonitorBridge.exe /n=Syslog /p=514 /w=12345678-1234-1234-1234-123456789012 /k=12345678901234567890123456789012345678901234567890123456789012345678901234567890123456==NOTE : ImagePath that conatin keys will show on [Task Manager]
Open Log Analytics in Azure Portal of ARM (Azure Resource Manager) then select [1.Advanced Settings] - [2.Connected Sources] - [3.Windows Servers]
Then, copy Workspace ID - [A], Primary Key - [B]
Paste then [A] for /w=, [B] for /k=
Exec below command with Windows command prompt administrator mode.
sc start SyslogAzureMonitorBridgeThis sample is on below settings.
/n=Syslog
Open Log Analytics workspace in Azure Portal (ARM) then click [Logs] command in left pane.
Find your Syslog table like below KQL
search * | distinct $tableYou will see Syslog_CL in the KQL result if the syslog data have uploaded successfully.
Try to see a Syslog_CL data
Syslog_CL
| where EventTime_t > ago(24h)
| limit 20
| order by EventTime_t descRecord Column
| Column | Description |
|---|---|
| TimeGenerated | Generated time at uploaded to Azure Monitor |
| EventTime_t | Syslog received time in SyslogAzureMonitorBridge service |
| Computer | IP address of SyslogAzureMonitorBridge service |
| Facility_s | Syslog facility |
| SeverityLevel_s | Syslog severity level |
| HostIP_s | Syslog owner |
| HostName_s | Same with HostIP_s column |
| SyslogMessage_s | Syslog message trimmed start "<priority>" part. |