Security - Syslog configuration
Available from firmware 2022.0 LTS
Accessibility
This WBM page is accessible with user role:
|
How to get into the WBMHow to get into the WBM
Establishing a connection to the Web-based Management (WBM):
- Open a web browser on your computer.
- In the address field, enter the URL https://<IP-address-of-the-controller>/wbm,
for example: https://192.168.1.10/wbm.
For further information, see WBM.
For developing secure-by-design, IEC 62443‑2 compliant applications with PLCnext Technology, get a good grasp of the concepts used in the Security context.
Syslog Configuration page
In the Syslog Configuration WBM page you can configure connections for logging via syslog-ng, which is a system-wide, real-time capable log management tool.
If a configuration is present in this WBM page then the Syslog Server Destinations table shows the configured server destinations to be used for defined facilities and severity levels. The table provides this information:
- Hostname: The hostname or IP address of the syslog-ng server destination to send the logging messages to.
- Port: The port on which the syslog-ng server waits for syslog messages. Make sure the port is enabled in the firewall settings for outgoing requests.
- Protocol: Transmission protocol to the server. For secure transmission, TLS is recommended which depends on a Trust Store.
- Facilities: Specifies the system type of the messages to be logged.
- Severity Level: The severity level and its short term of the messages to be logged.
These levels are available:- >= Internal (debug)
- >= Information (info)
- >= Warning (warning)
- >= Error (err)
- >= Critical Error (crit)
- >= Fatal Error (alert)
- Emergency (emerg)
Examples:
Selecting err will not send messages on the debug, info, or warning level.
Selecting debug will also send messages that are on all other levels.
Adding a syslog server destination
When opening this WBM page for the first time, the Syslog Server Destinations table will be empty:
- To add a new server configuration entry, click on at the 1 bottom right of the table.
↪ The Add a new Syslog Server Destination entry dialog opens. - Set the 2 hostname, transmission protocol, and transmission port for the destination:
Note: The specified address and the selected port must be enabled in the firewall settings for outgoing requests.
If the TLS protocol is selected a Trust Store for verification must be defined.
- If you know a Trust Store name already, just type in a few characters in the input field. All trust stores that match or start with the entry are then available from the drop-down list.
- If you leave the input field empty, you can select in the drop-down list from all existing Trust Stores.
- Select at minimum one 3 facility and choose a 4 severity level:
- Click
↪ The new entry is then available in the Syslog Server Destinations table.
to add the new configuration entry to the table. - Proceed with entries for other connections and facilities if needed.
- To safe all changes made to the configuration, click the Syslog Server Destinations table.
↪ The configuration is then written to the XML configuration file.
button below the
Editing a server destination
- To edit an existing server destination, press its button at the table's right side 5:
↪ The Edit Syslog server destination dialog opens. - The destination can be edited there in the same way it was created initially:
Deleting a server destination
- To delete a server destination from the Syslog Server Destinations table, click the button at the table's right side 5.
↪ You are prompted to confirm that choice:
Activating and deactivating the syslog configuration
In the General Options table, you can activate or deactivate a configuration:
Activating a syslog configuration
- Check the checkbox 6 and click below the table 7.
↪ The configuration is saved as an XML file in the file system on the controller. Its path is/opt/plcnext/config/Services/Syslog/Syslog.config
.
↪ This XML file is then converted into a syslog-ng capable configuration file and loaded to run the logging.
Deactivating a syslog configuration
- Uncheck the checkbox 6 and click for this change 7.
↪ An empty syslog-ng configuration file is generated, so no messages will be sent to a server destination. An existing XML configuration file will be left unaltered, though. So when you need the same configuration again you can just activate it. Also, if no destination is defined when activating no messages will be sent.