As you probably know, starting from May 2018 (in Europe) all the companies must follow the new GDPR about audit and more. The condition, for auditing, is collect data into a repository untouchable and full secured and we know that this is not easy and cheaper.
Microsoft Operations Management Suite offers the solution to collect log and data in order to give a way to consult and check what happened in a particular moment of the day. This means that we can store logs from our network devices to achieve the policies included into GDPR.
In this article, we will see how to configure a Linux machine to catch syslog from network devices and how to send them in OMS to analyze contents.
Prepare Linux Machine
For this article, I will use Ubuntu 17.04; after the setup, is necessary install the package requirements with the command: apt-get install openssl curl python-ctypes
NB: without these components, the agent setup will fail.
After this, we can install the OMS Agent: inside the Settings area there’s an URL to download and onboard the agent directly with our Workspace, as showed in figure 1.
Figure 1 – Download and Onboard Agent
Into Linux machine run the command to install the agent and wait a couple of minutes to enable the communication between computer and OMS, as showed in figure 2.
Figure 2 – Agent Connected
Enable Rsyslog
To catch syslog from external devices, is necessary configure rsyslog into our Linux machine collector. Rsyslog is already integrated in Ubuntu but is not ready to receive data from outside (for security reasons). To enable reception, edit the file /etc/rsyslog.conf and remove the commit from string module(load=”imudp”) and input(type=”imudp” port=”514″) as showed in figure 3.
Figure 3 – Editing rsyslog.conf
It is also possible use TCP instead UDP but this can increase the overhead of your machine but, from the other hand, increase the reliability. After the change is necessary restart the service.
It’s also possible separate each facilities to save logs in different files. To do this, at the end of configuration file add this string: local6.* /var/log/zyxel.log
Enable Facilities in OMS
By default, there’re no facilities enabled in Operations Management Suite so we can add what we want to collect and this can be done from Settings – Data – Syslog, as showed in figure 4. The Facility Name is defined from network device.
Figure 4 – Facility Name
Enable Syslog on Network Device
The last step is enable the remote logging into network device as showed in figure 5.
Figure 5 – Enable Remote Log
Log Analytics
It’s time to test the result in OMS from Log Analytics as showed in figure 6.
Figure 6 – Query
Local Repository Considerations
When you plan to use a rsyslog machine, it’s very important evaluate how many kinds of data you want collect because the faster disk growing is behind the corner. This means that if you have a virtual machine, could be smart use a NFS path or add another .vdhx (if you use Hyper-V) where store logs.
Considerations
As you can see, in few steps we can save our data into a secure repository on cloud, ready to be analyzed in case of emergency. More details, about customization, can be found at this link: https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-data-sources-syslog
S