August 2021 Newsletter
Collecting logs from Industrial Control Systems (ICS) / Supervisory Control and Data Acquisition (SCADA) Systems
Similar to other networked computer systems, ICS generates a wide variety of logs in various formats. Some are channeled through Windows Event Log, some are saved in files and databases, while others might represent network activity logged by passive network monitoring. These logs provide important information, in real-time, that can be used to determine the state, health, and security of the industrial systems that generated them, but there are two main challenges when it comes to ICS logging:
- The standardization and formatting of logs are not as mature as in conventional computer systems, posing a significant challenge when it is common for a single system or component to generate a set of logs that are stored in the same directory, but the log files have completely different formats
- The widespread use of industry-specific network protocols ICS needs for communicating with various devices such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, and IEC-61850
Now you can take care of these issues with our tools. Collect logs from all possible sources on ICS and SCADA systems. Learn more
Windows provides a wealth of security logs, where each log entry is associated with an Event ID. These logs carry a wide variety of information, ranging from authentication events to policy changes. But the question is, which security logs should you really be collecting?
With thousands of events, it is essential to carefully consider and select the right ones for your security needs. To increase the signal-to-noise ratio of the Windows logs to be used for security monitoring, it's crucial to obtain the critical information within the logs, that can be used to identify events that are useful in intrusion detection or that can be associated with other types of malicious activity.
See the Top 5 Windows Security Logs that will provide you a good starting point for collecting a meaningful set of events worthy of analysis.
Data coming in different formats requires normalization to align events to ECS, which as an open-source specification defines a common set of fields to be used when storing event data in Elasticsearch. In general, ECS aims to provide a consistent data structure to facilitate analysis, correlation, and visualization of data from diverse sources.
NXLog can easily assist in the normalization of data by means of its input and extension modules, built-in regular expressions support, or its various string manipulation functions. In this guide, we'll provide you some examples of how to normalize log records collected from different sources before they are forwarded to Elasticsearch.
The SAP platform is made up of various components, at the center of which are the SAP Netweaver Application Server and the SAP HANA relational database management system. Logging from these components can assist in troubleshooting issues or mitigating security threats, while certain logging is required for security auditing and compliance.
NXLog can integrate with the SAP platform to collect and streamline logs from different components, and save them in a central repository or forward them to a SIEM. Here you'll see how to collect and parse SAP logs commonly used for troubleshooting and auditing, including:
- SAP NetWeaver Application Server logs
- SAP HANA logs
- Internet Communication Manager (ICM) logs
- Web Dispatcher logs
Top Social Media Chatter August
- NXLog as a solution for sending logs to Graylog - instead of Filebeat - See discussion
- NXLog gets recommended to selectively forward logs to a hosted ELK service - See discussion
- Blumira's case study in which they integrated their solution with NXLog to easily centralize the logs for threat detection and response - Read case study
- VOL's (Polish IT security company) post about the centralization and unification of logs with NXLog - Read article
- Article about the Fundamentals of SIEM referencing NXLog for Agent-based and Agentless log collection - Read article