Aug 2021

August 2021 Newsletter

Collecting logs from Industrial Control Systems (ICS) / Supervisory Control and Data Acquisition (SCADA) Systems

Similar to other networked computer systems, ICS generates a wide variety of logs in various formats. Some are channeled through Windows Event Log, some are saved in files and databases, while others might represent network activity logged by passive network monitoring. These logs provide important information, in real-time, that can be used to determine the state, health, and security of the industrial systems that generated them, but there are two main challenges when it comes to ICS logging:

  • The standardization and formatting of logs are not as mature as in conventional computer systems, posing a significant challenge when it is common for a single system or component to generate a set of logs that are stored in the same directory, but the log files have completely different formats
  • The widespread use of industry-specific network protocols ICS needs for communicating with various devices such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, and IEC-61850

Now you can take care of these issues with our tools. Collect logs from all possible sources on ICS and SCADA systems. Learn more

Top 5 Windows Security logs everyone should collect

Windows provides a wealth of security logs, where each log entry is associated with an Event ID. These logs carry a wide variety of information, ranging from authentication events to policy changes. But the question is, which security logs should you really be collecting

With thousands of events, it is essential to carefully consider and select the right ones for your security needs. To increase the signal-to-noise ratio of the Windows logs to be used for security monitoring, it's crucial to obtain the critical information within the logs, that can be used to identify events that are useful in intrusion detection or that can be associated with other types of malicious activity.

See the Top 5 Windows Security Logs that will provide you a good starting point for collecting a meaningful set of events worthy of analysis.

Forwarding logs to Elasticsearch using the Elastic Common Schema (ECS)

Data coming in different formats requires normalization to align events to ECS, which as an open-source specification defines a common set of fields to be used when storing event data in Elasticsearch. In general, ECS aims to provide a consistent data structure to facilitate analysis, correlation, and visualization of data from diverse sources.

NXLog can easily assist in the normalization of data by means of its input and extension modules, built-in regular expressions support, or its various string manipulation functions. In this guide, we'll provide you some examples of how to normalize log records collected from different sources before they are forwarded to Elasticsearch.

Start normalizing event data with NXLog in a format that complies with (ECS). 

SAP platform logs - How to collect them?

The SAP platform is made up of various components, at the center of which are the SAP Netweaver Application Server and the SAP HANA relational database management system. Logging from these components can assist in troubleshooting issues or mitigating security threats, while certain logging is required for security auditing and compliance.

NXLog can integrate with the SAP platform to collect and streamline logs from different components, and save them in a central repository or forward them to a SIEM. Here you'll see how to collect and parse SAP logs commonly used for troubleshooting and auditing, including:

  • SAP NetWeaver Application Server logs
  • SAP HANA logs
  • Internet Communication Manager (ICM) logs
  • Web Dispatcher logs

Collect logs from the different SAP platform components. 

Top Social Media Chatter August

What did the community have to say about NXLog on social media?  Tweet us or share our updates with us on LinkedIn for an opportunity to be listed in this newsletter.

Reddit Posts

  • NXLog as a solution for sending logs to Graylog - instead of Filebeat - See discussion
  • NXLog gets recommended to selectively forward logs to a hosted ELK service - See discussion

Other places

  • Blumira's case study in which they integrated their solution with NXLog to easily centralize the logs for threat detection and response - Read case study
  • VOL's (Polish IT security company) post about the centralization and unification of logs with NXLog - Read article
  • Article about the Fundamentals of SIEM referencing NXLog for Agent-based and Agentless log collection - Read article

Share this post