Part of the DETECT Playbook ← Return to Hub

Centralized Syslog Setup

Detection Objective: To aggregate security events from all firewalls, switches, and workstations into a single, tamper-proof location for real-time analysis and post-incident forensics.

Most OT devices have limited internal memory. A firewall might only store the last 500 lines of logs before overwriting them. By the time a crew notices a breach, the evidence is often gone. A Centralized Syslog Server ensures that every “Login Success,” “Configuration Change,” and “Connection Denied” is recorded permanently.

The Logging Architecture

We implement a “Star Topology” where all Category II and III devices push their data to a hardened Log Collector located in the Industrial DMZ (iDMZ).

Step 1: Configure the Collector

The collector (e.g., Graylog, ELK, or a hardened Linux Syslog-ng server) must be assigned a static IP within the management VLAN.

Step 2: Point the “Senders”

Access the web interface of your OT Firewalls and Managed Switches. Under System > Logging, enter the IP of your collector.
Protocol: UDP | Port: 514 (or 1514 for TLS)

What to Log? (The “Gold Standard”)

Logging “Everything” will flood your storage. To satisfy UR E26 §4.3.3, the ETO must ensure these specific event types are captured:

Authentication Events

  • Successful & Failed Logins
  • Password changes
  • New user creation

Network Security Events

  • Firewall rule violations (Deny logs)
  • VPN tunnel establishment
  • IDS/IPS alerts

Critical Dependency: Time Synchronization

Logs are legally useless if the timestamps are wrong. Ensure the Syslog Server and all OT devices are synced to the same NTP (Network Time Protocol) source (ideally the ship’s Master Clock).

Verification for Auditors

To prove compliance, the ETO should be able to perform a “Log Search Test”:

  1. Deliberately fail a login on an Engine Room switch.
  2. Open the Syslog Dashboard.
  3. Show the auditor the entry appearing within < 60 seconds.

Next Security Phase

Retention & Integrity Rules

Retention & Integrity Rules Compliance Requirement: IACS UR E26 requires that security logs be protected from unauthorized deletion or modification and retained for a duration sufficient to support incident investigation. Generating logs is only the ...

Continue to Retention & Integrity Rules →
Scroll to Top