How to monitor Ribbon SBC using Azure Log Analytics

In this tutorial I will be teaching you how to configure monitoring of your Ribbon SBC appliance using Microsoft Azure Log Analytics.

Particularly useful as Ribbon currently do not provide a monitoring solution for Ribbon SBC on Azure.

Let’s face it, Azure monitoring is downright awesome. It’s super easy to get going, inexpensive (compared to other 3rd party products) and the potential is limitless!


We will be building an Ubuntu Server Linux virtual machine to act as an intermediary syslog gateway for Ribbon SBC SWeLite to forward logs into an Azure Log Analytics Workspace.

High Level Design


  1. Azure subscription.
  2. Azure Log Analytics workspace.
  3. Ribbon SBC hosted in Azure (I am using SWeLite 9.0.1 in this guide).
  4. Network connectivity between Ribbon SBC and Linux VM.
    1. In this guide, there is a VNET peer between the Linux VM and Ribbon SBC network. They are both in Azure.

Note: There will be a small operational expenditure with this exercise as you will be creating a new Linux virtual machine in Azure.

If you have a pre-existing Linux VM in Azure you can use that without incurring additional costs.

Provision Linux VM

We are provisioning a Ubuntu Server 18.04 Linux VM for this exercise as it is cheap and secure.

  1. Within Azure Portal, click Create a resource.
  1. Within Search the Marketplace bar, enter Ubuntu and click Ubuntu Server 18.04 LTS.
  1. Click Create.
  1. Give your new Ubuntu Server Linux VM a name and customise. In this guide we are using B1ls as it is the least expensive.
  1. Your configuration screen should look like above exhibit.
  2. Create your virtual machine when ready.
  3. Finish.

Install Log Analytics Agent

Log Analytics Agent (formerly known as OMS agent) installation guide for PROD-UBUNTU-01 virtual machine. This will act as our syslog gateway for Ribbon / Sonuc SBC.

Note: An Azure Log Analytics workspace is a prerequisite for this section.

  1. In Azure Portal, search for “Log Analytics” in the top search bar and click to open.
  1. Click to open your Log Analytics workspace.
  1. Within newly opened blade on the right of your screen, click Virtual machines under Workspace Data Sources.
  1. Within distant right-hand blade, click to open our newly created Linux VM. It is PROD-Ubuntu-01 my example below.
  1. Click Connect.
  1. Log Analytics monitoring agent is now deploying to our Linux VM. This can take up to 5 minutes to complete.
  2. Once it is complete and the agent is connected to our workspace, click Advanced settings within Log Analytics workspace blade.
  1. Click Data > Syslog > within facility search bar in right pane, type local0 and click +. Ribbon SBC will only utilise local0 per below instructions.
  1. Ensure all facility options ranging from EMERGENCY to DEBUG are ticked.
  2. Click Save.
  3. Connect to the Linux VM using SSH. For instructions on how to SSH to an Azure hosted Linux VM, check this out.
  4. Once successfully logged on, execute the following command to enable Rsyslog remote log forwarding. sudo vi /etc/rsyslog.d /95-omsagent.conf.
  1. Append the following two lines at end of the file, save and close VI.
  1. Restart the rsyslog service using the command sudo service rsyslog restart.
  2. Verify that our Linux VM is listening on port 514 using the command netstat -an | grep 514.
  1. Finish.

Our Ubuntu Server Linux virtual machine is now configured to act as a syslog gateway to forward logs to our Log Analytics workspace. Our next action is to configure Ribbon SBC to send remote syslogs to our Ubuntu Server Linux VM.

Enable Ribbon SBC Remote Syslog

  1. Navigate to your Ribbon SBC appliance’ web GUI. You can do this via its management IP.
  1. Click Settings > Remote Log Servers > +.
  1. A pop-up window will appear, enter the following settings.
    1. Global Log Level: Informational
    2. Log Destination: Ubuntu Server Linux VM IP
    3. Port: 514
    4. Protocol: UDP
    5. Log Facility: local0 (Local Use 0)
    6. Enabled: Yes
  1. Click OK.
  2. Finish.

Viewing Logs

We can now see logs begin to feed into our Log Analytics Workspace.

  1. In Azure Portal, search for “Log Analytics” in the top search bar and click to open.
  1. Click to open your Log Analytics workspace.
  1. Click Logs.
  1. Execute the following KQL query;

| where TimeGenerated > ago(24h)
| where Computer contains "RIBBON SBC IP ADDRESS"

  1. Congratulations! We can now see syslogs from Ribbon SBC in Azure Log Analytics.

Next Actions

Next steps are to configure Azure alerts and actions based on event severity level.

For example we can configure an action to send email to a Microsoft Teams channel or raise a ServiceNow ticket using an ITSM hook when there is a “warn” or “critical” severity level event. The possibilities are endless.

Stay tuned!