Fix Syslog-VMSS-AMA template: NSG bugs, EOL Ubuntu 18.04->24.04, API/AMA modernization#14595
Open
x3nc0n wants to merge 1 commit into
Open
Fix Syslog-VMSS-AMA template: NSG bugs, EOL Ubuntu 18.04->24.04, API/AMA modernization#14595x3nc0n wants to merge 1 commit into
x3nc0n wants to merge 1 commit into
Conversation
…AMA modernization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR updates the Syslog-VMSS-AMA ARM template to fix NSG deployment/runtime issues, move off Ubuntu 18.04, and modernize API versions used for AMA/DCR/autoscale.
Changes:
- Fix NSG rule protocol mismatches (SSH and syslog) and correct an invalid NSG resource provider reference.
- Upgrade VMSS base image to Ubuntu 24.04 LTS and bump AMA extension typeHandlerVersion.
- Update Autoscale and DCR/DCR association API versions and adjust autoscale cooldowns.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| DataConnectors/Syslog-VMSS-AMA/azureDeploy.json | Fix NSG rule/properties issues, update Ubuntu image + AMA + API versions, tweak autoscale cooldown. |
| DataConnectors/Syslog-VMSS-AMA/README.md | Update docs for Ubuntu 24.04 and add a “Notes” section describing fixes/modernization. |
Comment on lines
+156
to
159
| "protocol": "*", | ||
| "sourcePortRange": "*", | ||
| "destinationPortRange": "514", | ||
| "sourceAddressPrefix": "*", |
| # Scalable Syslog collection using VMSS and Azure Monitor Agent | ||
|
|
||
| This ARM template will deploy an Ubuntu Virtual Machine Scale Set to forward Syslog to Microsoft Sentinel using Azure Monitor Agent (AMA). This has been built based on the previous solution we had for CEF with Log Analytics Agent (MMA) [CEF-VMSS]( https://github.com/mariavaladas/Azure-Sentinel/tree/master/DataConnectors/CEF-VMSS) | ||
| This ARM template will deploy an Ubuntu 24.04 LTS Virtual Machine Scale Set to forward Syslog to Microsoft Sentinel using Azure Monitor Agent (AMA). This has been built based on the previous solution we had for CEF with Log Analytics Agent (MMA) [CEF-VMSS]( https://github.com/mariavaladas/Azure-Sentinel/tree/master/DataConnectors/CEF-VMSS) |
|
|
||
| This template was updated with the following fixes and modernizations: | ||
|
|
||
| * **Base image** upgraded from Ubuntu 18.04-LTS (end-of-life since April 2023) to Ubuntu 24.04 LTS. |
Collaborator
|
Hi @x3nc0n, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes several deployment bugs and modernizes the Syslog-VMSS-AMA data connector template (
DataConnectors/Syslog-VMSS-AMA/). All changes are scoped to that folder (azureDeploy.json+README.md). The base image is moved off an end-of-life OS, and three concrete NSG defects are corrected.These changes were identified while building and deploying a working derivative of this template end-to-end (Ubuntu 24.04, AMA → DCR → Log Analytics validated).
Bug fixes
Allow-SSHNSG rule protocol wasUDP.SSH is TCP. As written, the rule does not permit SSH (TCP/22) that the load balancer exposes via its
inboundNatPool, so administrative access is blocked. Corrected toTcp.Allow-SyslogNSG rule protocol wasUDPonly.The load balancer defines both a TCP/514 (
LBSyslogTCPRule) and a UDP/514 (LBSyslogUDPRule) rule, but the NSG only allowed UDP, silently dropping TCP syslog. Broadened to*(TCP + UDP).Invalid resource provider in the subnet's NSG reference.
The standalone
Microsoft.Network/virtualNetworks/subnetsresource referencedMicrosoft.Networks/networkSecurityGroups(note the extra "s" —Networks), which is not a valid resource provider namespace. Corrected toMicrosoft.Network/networkSecurityGroups.End-of-life OS
18.04-LTSreached end of standard support in April 2023 and no longer receives security updates. Updated the image reference to the current LTS:Canonical/ubuntu-24_04-lts/server/latest.This image was validated by deploying it with this template's VMSS/AMA configuration.
Modernization
typeHandlerVersion1.22→1.33(auto-upgrade remains enabled).2014-04-01→2022-10-01; scale-in/scale-out cooldownPT1M→PT5Mto reduce scaling thrash on a syslog relay.2021-09-01-preview→ GA2022-06-01(preview API versions are eventually retired).Out of scope (intentionally not bundled)
To keep this PR small and reviewable, the following are not included here and are noted as potential follow-ups:
inboundNatPoolstoinboundNatRules.Allow-SSH/Allow-Syslogsource from*to an operator-supplied CIDR.Validation
azureDeploy.jsonis valid JSON and the edits are surgical (original formatting preserved — diff is value-only).1.33, and the DCR GA API version were exercised in a real deployment of a template derived from this one.Note: I was unable to confirm whether the Azure Sentinel team prefers protocol
*vs. an explicit dual TCP/UDP rule for syslog — happy to adjust to whichever convention you prefer.