19 Apr

How to add network device to Microsoft Operations Management Suite using syslog

Microsoft Operations Management Suite is nice, and in some cases free, tool to manage and search through logs. But it’s dedicated to Windows and Linux operating systems by default. In many environments, especially those most secure ones, huge amount of logs are generated by network devices. Firewalls placed on the edge between Internet and DMZ zone quite often are set up to log all denied connections. Those firewalls can produce significant volume of logs that need to be searched and analyzed. Microsoft Operations Management Suite seems to be perfect tool for that but there is no native support of such feature. But we can implement this doing small workaround. Let’s look how to add network device to Microsoft Operations Management Suite using syslog.

Network devices uses syslog for sending logs to central collector or collectors. Some of them, like Juniper SRX’s, can do basic filtering directly on device before sending to collector, other like Cisco ASA lacks such feature.

Microsoft Operations Management Suite agent for Linux is based on Fluend, which includes native support for syslog protocol. When agent is installed  it automatically configures rsyslog and syslog-ng to write all warning and above events to its listener on port 25224. That means what we have to do is just use our Linux server to collect log messages from network devices and then agent will forward it to Microsoft Operations Management Suite.

Syslog configuration

We need to configure local syslog to receive logs from external source. If we use rsyslog the easiest way would be enabling UDP listener on port 514. To do this we need to find almost at the beginning of /etc/rsyslog.conf file following lines and uncomment the configuration

# provides UDP syslog reception
 $ModLoad imudp
 $UDPServerRun 514

If we send logs over the Internet or WAN link more suitable option is to enable syslog reception on TCP port

# provides TCP syslog reception
 $ModLoad imtcp
 $InputTCPServerRun 514

We can enable both UDP and TCP at the same time. I’ll add one more line to filter local5.* facility to separate file – all logs from Juniper I’ll send using the local5 facility.

local5.* /var/log/juniper.log

That’s pretty much completes rsyslog configuration

Configuring Juniper SRX

We can collect logs from any network device as long as it can send syslog messages to defined server. Here is example of Juniper SRX configuration

system {
    syslog {
        host 172.16.15.213 {
            any any;
            allow-duplicates;
            facility-override local5;
            log-prefix SRX220H;
        }
        time-format year millisecond;
    }
}

This will override the facility sending all logs as local5 to collector and will add prefix “SRX220H” to each entry. If you want to generate good amount of logs quickly enable logging of all connections between two zones, if this is edge router then between internal network and Internet. Then run torrent which can generate nice amount of connections.

policy LAN-to-INTERNET {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
        log {
            session-init;
            session-close;
        }
    }
}

If we set up everything correctly (don’t forget to allow traffic on firewalls if required) then we should see copy of our logs in /var/log/juniper.log on Linux collector

Microsoft Operations Management Suite Configuration

We set the facility of log to local5. We need to add now this facility on OMS console, because by default it’s ignored. To do that on dashboard we need to select Settings and then Data -> Syslog and add local5 facility with all logging level.

Capture-OMS-Syslog-Facility.PNG

Adding syslog facility configuration to OMS

We are now saving the configuration and applying it to all agents. After few minutes we will see first logs in OMS statistics

Capture-OMS-Data-Volume.PNG

Logging from Cisco ASA and log format parsing

We can see that the solution is not perfect – new logs source is recognized as 2017 instead of correct hostname but that can be fixed with proper scripts and configuration tuning. There are specialized Microsoft partners who write such scripts or configuration parser.

Syslog from Juniper SRX captured in OMS

Syslog from Juniper SRX captured in OMS

If you want to deploy such logging for Cisco ASA the there is a plugin and documentation available on Microsoft’s GitHub

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.