Logging within public Cloud environments, such as Azure, differ in several ways compared to logging in traditional IT environments. First, legacy protocols such as Syslog are discouraged and the use of more modern day technologies such as APIs, webhooks and message busses are used for transport. Second, what log sources are available and the types of visibility they offer may differ from traditional environments requiring training and retooling. And lastly, all Cloud Service Providers (CSPs) provide Cloud Native logging and monitoring services which may or may not meet security and operational requirements.
Below are the 5 layers of Cloud Logs you need to know about:
The Control Plane Layer
Each CSP will provide “Control Plane” logs which track authentication, human/non-human interactions via API/the GUI interface and the deployment of assets within the Cloud. These logs are arguably the most important from a security monitoring perspective. Active Directory, Azure Activity and Azure Resources logs would be considered control plane logs.
The Network Layer
Traditionally, Computer Security Incident Response Teams (CSIRT) heavily rely on firewall/network logs to piece together an incident. However in a Cloud Native world: networks are software defined, firewalls are optional and Cloud assets, if they do have an IP, are ephemeral, making incident response very challenging. That said, CSPs do provide some network visibility, similar to NETFLOW logs, which provides a summary of network connections rather than a 1:1 log of connection. These logs are verbose and usually disabled by default.
The Operating System Layer
Operating system level logs are another favourite for CSIRT teams and provides granular details of user interactions with the OS and the file system along with what applications/services are running on the host and what are they doing. Traditionally these logs were forwarded via Syslog (Linux) or pulled via WMI (Windows), however CSPs have tried to discourage network layer collection/transportation protocols and have moved towards installing an agent within the operation system which transparently transports the logs to a central location such as Log Analytics or Event Hub.
The Platform as a Service Layer
This will be the most broad category of logs as it will cover the plethora of CSP Cloud Native services. Logs from this layer would include Databases as a Service, K8s as a Service as well as storage and serverless services. Most of these logs are automatically collected within the CSPs basic logging facilities (Log Analytics or Event Hub) and should be collected by a SIEM.
The Application Layer
The last layer is the application layer which would represent both SaaS offerings and custom developed applications. This layer is increasingly more important as we move away from owning lower layers of the IT stack and captures authentication, authorization and actions events.