How to add network device to Microsoft Operations Management Suite using syslog
Microsoft Operations Management Suite is nice, and in some cases free, tool to manage and search through logs. But it’s dedicated to Windows and Linux operating systems by default. In many environments, especially those most secure ones, huge amount of logs are generated by network devices. Firewalls placed on the edge between Internet and DMZ zone quite often are set up to log all denied connections. Those firewalls can produce significant volume of logs that need to be searched and analyzed. Microsoft Operations Management Suite seems to be perfect tool for that but there is no native support of such feature. But we can implement this doing small workaround. Let’s look how to add network device to Microsoft Operations Management Suite using syslog.
Network devices uses syslog for sending logs to central collector or collectors. Some of them, like Juniper SRX’s, can do basic filtering directly on device before sending to collector, other like Cisco ASA lacks such feature.
Microsoft Operations Management Suite agent for Linux is based on Fluend, which includes native support for syslog protocol. When agent is installed it automatically configures rsyslog and syslog-ng to write all warning and above events to its listener on port 25224. That means what we have to do is just use our Linux server to collect log messages from network devices and then agent will forward it to Microsoft Operations Management Suite.
Syslog configuration
We need to configure local syslog to receive logs from external source. If we use rsyslog the easiest way would be enabling UDP listener on port 514. To do this we need to find almost at the beginning of /etc/rsyslog.conf file following lines and uncomment the configuration
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
If we send logs over the Internet or WAN link more suitable option is to enable syslog reception on TCP port
# provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
We can enable both UDP and TCP at the same time. I’ll add one more line to filter local5.* facility to separate file – all logs from Juniper I’ll send using the local5 facility.
local5.* /var/log/juniper.log
That’s pretty much completes rsyslog configuration
Configuring Juniper SRX
We can collect logs from any network device as long as it can send syslog messages to defined server. Here is example of Juniper SRX configuration
system { syslog { host 172.16.15.213 { any any; allow-duplicates; facility-override local5; log-prefix SRX220H; } time-format year millisecond; } }
This will override the facility sending all logs as local5 to collector and will add prefix “SRX220H” to each entry. If you want to generate good amount of logs quickly enable logging of all connections between two zones, if this is edge router then between internal network and Internet. Then run torrent which can generate nice amount of connections.
policy LAN-to-INTERNET { match { source-address any; destination-address any; application any; } then { permit; log { session-init; session-close; } } }
If we set up everything correctly (don’t forget to allow traffic on firewalls if required) then we should see copy of our logs in /var/log/juniper.log on Linux collector
Microsoft Operations Management Suite Configuration
We set the facility of log to local5. We need to add now this facility on OMS console, because by default it’s ignored. To do that on dashboard we need to select Settings and then Data -> Syslog and add local5 facility with all logging level.
We are now saving the configuration and applying it to all agents. After few minutes we will see first logs in OMS statistics
Logging from Cisco ASA and log format parsing
We can see that the solution is not perfect – new logs source is recognized as 2017 instead of correct hostname but that can be fixed with proper scripts and configuration tuning. There are specialized Microsoft partners who write such scripts or configuration parser.
If you want to deploy such logging for Cisco ASA the there is a plugin and documentation available on Microsoft’s GitHub