Skip to content

Fix Syslog-VMSS-AMA template: NSG bugs, EOL Ubuntu 18.04->24.04, API/AMA modernization#14595

Open
x3nc0n wants to merge 1 commit into
Azure:masterfrom
x3nc0n:fix/syslog-vmss-ama-nsg-eol-modernize
Open

Fix Syslog-VMSS-AMA template: NSG bugs, EOL Ubuntu 18.04->24.04, API/AMA modernization#14595
x3nc0n wants to merge 1 commit into
Azure:masterfrom
x3nc0n:fix/syslog-vmss-ama-nsg-eol-modernize

Conversation

@x3nc0n

@x3nc0n x3nc0n commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR fixes several deployment bugs and modernizes the Syslog-VMSS-AMA data connector template (DataConnectors/Syslog-VMSS-AMA/). All changes are scoped to that folder (azureDeploy.json + README.md). The base image is moved off an end-of-life OS, and three concrete NSG defects are corrected.

These changes were identified while building and deploying a working derivative of this template end-to-end (Ubuntu 24.04, AMA → DCR → Log Analytics validated).

Bug fixes

  1. Allow-SSH NSG rule protocol was UDP.
    SSH is TCP. As written, the rule does not permit SSH (TCP/22) that the load balancer exposes via its inboundNatPool, so administrative access is blocked. Corrected to Tcp.

  2. Allow-Syslog NSG rule protocol was UDP only.
    The load balancer defines both a TCP/514 (LBSyslogTCPRule) and a UDP/514 (LBSyslogUDPRule) rule, but the NSG only allowed UDP, silently dropping TCP syslog. Broadened to * (TCP + UDP).

  3. Invalid resource provider in the subnet's NSG reference.
    The standalone Microsoft.Network/virtualNetworks/subnets resource referenced Microsoft.Networks/networkSecurityGroups (note the extra "s" — Networks), which is not a valid resource provider namespace. Corrected to Microsoft.Network/networkSecurityGroups.

End-of-life OS

  1. Ubuntu 18.04-LTS → Ubuntu 24.04 LTS.
    18.04-LTS reached end of standard support in April 2023 and no longer receives security updates. Updated the image reference to the current LTS:
    Canonical / ubuntu-24_04-lts / server / latest.
    This image was validated by deploying it with this template's VMSS/AMA configuration.

Modernization

  1. AMA extension typeHandlerVersion 1.221.33 (auto-upgrade remains enabled).
  2. Autoscale API version 2014-04-012022-10-01; scale-in/scale-out cooldown PT1MPT5M to reduce scaling thrash on a syslog relay.
  3. Data Collection Rule and association API version 2021-09-01-preview → GA 2022-06-01 (preview API versions are eventually retired).

Out of scope (intentionally not bundled)

To keep this PR small and reviewable, the following are not included here and are noted as potential follow-ups:

  • Migrating the deprecated inboundNatPools to inboundNatRules.
  • Restricting the Allow-SSH / Allow-Syslog source from * to an operator-supplied CIDR.
  • Bumping the remaining (network/compute/managed-identity) API versions.
  • Syslog/CEF over TLS (6514). A community reference implementation that layers mutual-TLS-capable certificate handling on top of this connector is linked from the README.

Validation

  • azureDeploy.json is valid JSON and the edits are surgical (original formatting preserved — diff is value-only).
  • The Ubuntu 24.04 image reference, AMA 1.33, and the DCR GA API version were exercised in a real deployment of a template derived from this one.

Note: I was unable to confirm whether the Azure Sentinel team prefers protocol * vs. an explicit dual TCP/UDP rule for syslog — happy to adjust to whichever convention you prefer.

…AMA modernization

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@x3nc0n x3nc0n requested review from a team as code owners June 30, 2026 17:36
@v-atulyadav v-atulyadav self-assigned this Jul 1, 2026
@v-atulyadav v-atulyadav requested a review from Copilot July 1, 2026 04:18
@v-atulyadav v-atulyadav added the Connector Connector specialty review needed label Jul 1, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR updates the Syslog-VMSS-AMA ARM template to fix NSG deployment/runtime issues, move off Ubuntu 18.04, and modernize API versions used for AMA/DCR/autoscale.

Changes:

  • Fix NSG rule protocol mismatches (SSH and syslog) and correct an invalid NSG resource provider reference.
  • Upgrade VMSS base image to Ubuntu 24.04 LTS and bump AMA extension typeHandlerVersion.
  • Update Autoscale and DCR/DCR association API versions and adjust autoscale cooldowns.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
DataConnectors/Syslog-VMSS-AMA/azureDeploy.json Fix NSG rule/properties issues, update Ubuntu image + AMA + API versions, tweak autoscale cooldown.
DataConnectors/Syslog-VMSS-AMA/README.md Update docs for Ubuntu 24.04 and add a “Notes” section describing fixes/modernization.

Comment on lines +156 to 159
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "514",
"sourceAddressPrefix": "*",
# Scalable Syslog collection using VMSS and Azure Monitor Agent

This ARM template will deploy an Ubuntu Virtual Machine Scale Set to forward Syslog to Microsoft Sentinel using Azure Monitor Agent (AMA). This has been built based on the previous solution we had for CEF with Log Analytics Agent (MMA) [CEF-VMSS]( https://github.com/mariavaladas/Azure-Sentinel/tree/master/DataConnectors/CEF-VMSS)
This ARM template will deploy an Ubuntu 24.04 LTS Virtual Machine Scale Set to forward Syslog to Microsoft Sentinel using Azure Monitor Agent (AMA). This has been built based on the previous solution we had for CEF with Log Analytics Agent (MMA) [CEF-VMSS]( https://github.com/mariavaladas/Azure-Sentinel/tree/master/DataConnectors/CEF-VMSS)

This template was updated with the following fixes and modernizations:

* **Base image** upgraded from Ubuntu 18.04-LTS (end-of-life since April 2023) to Ubuntu 24.04 LTS.
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @x3nc0n,
Please review the suggestions above and address them accordingly. Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Connector Connector specialty review needed

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants