Monitoring Engineering Workstations: Improve Your Detection with Labshock v14 & Tidal Collector

By /

Listen to this Post

Engineering Workstations (EWS) are high-value targets in industrial environments, offering attackers privileged access and direct control over operations. Without proper monitoring, organizations remain blind to critical threats. LabShock v1.4 now enables agentless EWS log collection, forwarding logs to Tidal Collector without third-party agents—enhancing security without introducing vulnerabilities.

You Should Know:

1. Why EWS Monitoring is Critical

  • EWS are prime targets for brute-force attacks, credential theft, and command execution.
  • Unauthorized access can lead to operational disruption or sabotage.

2. Enabling Rsyslog for Agentless Logging

To forward EWS logs to Tidal Collector:

1. Install and configure rsyslog (Linux/Windows):

sudo apt-get install rsyslog # Debian/Ubuntu 
sudo yum install rsyslog # RHEL/CentOS

2. Configure rsyslog to forward logs:

Edit `/etc/rsyslog.conf` and add:

<em>.</em> @<Tidal_Collector_IP>:514

3. Restart rsyslog:

sudo systemctl restart rsyslog

3. Key Detections with LabShock v1.4

  • Failed Logins: Detect brute-force attempts: 
    grep "Failed password" /var/log/auth.log # Linux 
Get-EventLog -LogName Security -InstanceId 4625 # Windows (PowerShell)
  • Command Execution: Monitor suspicious process execution: 
    auditctl -a exit,always -F arch=b64 -S execve # Linux auditd
  • Unauthorized Logins: Alert on unexpected IPs: 
    last -i # Check recent logins

4. LabShock Integration Steps

1. Deploy Tidal Collector to aggregate logs.

  1. Use LabShock’s parsing rules to normalize EWS logs.
  2. Set up alerts for critical events (e.g., multiple failed logins).

What Undercode Say

Agentless monitoring via rsyslog and LabShock reduces attack surfaces while maintaining operational efficiency. Key takeaways:
– Linux Commands: Use journalctl, auditd, and `fail2ban` for deeper analysis.
– Windows Commands: Leverage `Get-WinEvent` and `Event Viewer` filters for OT-specific events.
– Pro Tip: Combine network monitoring (e.g., Zeek/Suricata) with host logs for full visibility.

Expected Output:

  • Centralized EWS logs in Tidal Collector.
  • Real-time alerts for brute-force, command execution, and unauthorized access.
  • Reduced reliance on vulnerable third-party agents.

Relevant URLs:

References:

Reported By: Zakharb Otsiem – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: