A company has deployed several applications across Windows and Linux Virtual machines in Azure. Log Analytics are being used to send the required data for alerting purposes for the Virtual Machines.
You need to recommend which tables need to be queried for security related queries.
Which of the following would you query for events from Linux system logging?
Click on the arrows to vote for the correct answer
A. B. C. D.D
This is also given in the Microsoft documentation, wherein you would use the Syslog Table for the queries on events from Linux Virtual machines
Note: Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a
Syslog collector. When the Log Analytics agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to Azure Monitor where a corresponding record is created.
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-syslogThe correct answer for this question is option D - Syslog.
In Azure Log Analytics, tables represent different types of data sources, and each table contains a specific set of columns that provide information about the data. Security-related queries require data from the logs that record security-related events and activities.
Linux systems use the Syslog protocol to record system logs. Syslog is a standard protocol used to send system log or event messages to a logging server, which can be monitored and analyzed to troubleshoot issues, detect security threats, and gather performance metrics.
Azure Log Analytics provides a Syslog table that contains all the Syslog events sent from the Linux VMs in your environment. The Syslog table is located in the LinuxSyslog table group, and it includes columns such as TimeGenerated, Computer, EventLog, Level, Message, and Facility.
Therefore, to query security-related events from Linux VMs, you should query the Syslog table in the LinuxSyslog table group.
Option A - Azure Activity and Option B - Azure Diagnostics tables do not contain data related to system logs or security events. Azure Activity table provides information about the operations that were performed on Azure resources, and Azure Diagnostics table provides performance and diagnostics data for Azure resources.
Option C - Event is a Windows event log table, which contains events from the Windows event logs on Windows VMs. It does not contain Linux system logs.