Collecting logs from Industrial Control Systems

Industrial Control Systems (ICS) is a generic term that refers to different types of control systems that operate and/or automate industrial processes. These systems consist of a combination of devices, software, and networks that together achieve an objective, such as manufacturing a product or the treatment of water.

SCADA (Supervisory Control and Data Acquisition) is the most significant subsystem of ICS that allows industrial organizations to:

  • control industrial processes locally or remotely

  • monitor, gather, and process real-time data

  • achieve high-performance data archiving

  • efficiently analyze process values (trends) and messages (alarm control)

  • interact with a wide range of devices using extended communication infrastructure

Industries that rely heavily on ICS include Oil and Gas, Pharmaceutical, Petrochemical, Food and Beverage, Manufacturing, Power, Recycling, Transportation, Water and Wastewater, Mining.

There are many providers of ICS solutions for various industries, some of which are Siemens, Schneider Electric, ABB, General Electric, Yokogawa, Honeywell, Emerson, and Rockwell Automation, just to name some of the larger ones.

What are the log sources?

Similar to other networked computer systems, an ICS generates a wide variety of logs. These logs provide important real-time information that can be used to determine the health and security of the system that generated them. Logs come in different formats, some are channeled through Windows Event Log, while others are saved in text files or databases. Capturing the network activity between ICS components also provides useful information on the state of the system.

Challenges in collecting logs from ICS

In Industrial Control Systems, the standardization and formatting of logs is not as mature as in conventional computer systems. It is common for a single system or component to generate a set of logs that are stored in the same directory, but are in a completely different formats. This poses a significant challenge when it comes to collect and process these logs. Yet another challenge is the widespread use of industry-specific network protocols (Modbus, PROFINET, BACNET, S7 Protocol, IEC 60870-5-104, IEC-61850, etc.) that a singe ICS might use for interacting with various devices.

How can NXLog meet these challenges?

NXLog is a versatile log collection solution capable of collecting logs from diverse sources on ICS and SCADA systems.

Collecting logs from Windows Event Log

Most ICS and SCADA systems provide logging through Windows Event Log. Each log source in Windows Event Log has a set of Event IDs associated with it. NXLog can filter and parse such logs based on Event IDs by using the im_msvistalog module, which collects logs using the native Windows Event Log API.

Collecting file-based logs

The majority of logs created by ICS and SCADA systems are text-based log files. NXLog provides the im_file module for collecting logs from files. This module has a vast number of configuration options, and together with the flexibility of the NXLog language, you can collect, parse, normalize, and forward any kind of log file created by an Industrial Control System.

With NXLog, you can also collect data from all major database systems, locally or remotely, with its im_odbc and im_dbi modules respectively. Additionally, NXLog can passively capture network traffic. The im_pcap module supports the major protocols used by ICS, such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, IEC-61850, DNP3, etc.

Currently supported ICS and SCADA systems

To see a detailed guide on how to collect logs from a specific ICS system, click on its logo below.

citect scada
simatic pcs7
ge digital
yokogawa fast tools
If you do not see your SCADA system here, it simply means that we have not gotten around to document it yet. However, you can still use NXLog to collect and process logs from it. If you would like to enquire about a specific SCADA system, please contact us and we would be happy to guide you.

Sending your ICS logs to their destination

This table contains links to documentation that will help you get started with sending logs from your SCADA system to your SIEM solution.

Source to collect logs from Destination to send logs to

Siemens Simatic PCS 7

IBM Qradar - Splunk - Graylog - Azure Sentinel

Schneider Electric Citect SCADA

IBM Qradar - Splunk - Graylog - Azure Sentinel

General Electric CIMPLICITY

IBM Qradar - Splunk - Graylog - Azure Sentinel


IBM Qradar - Splunk - Graylog - Azure Sentinel

If your preferred destination is not on the list, it simply means that we have not gotten around to document it yet. However, it is likely that NXLog can still send logs to it. If you would like to enquire about a specific destination, please contact us and we would be happy to guide you.

Aggregate ICS logs from multiple sources to any destination

With the highly configurable multiple input and output routing capabilities of NXLog, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable.

This highly simplified diagram of centralized logging shows that logs can be collected from different sources and forwarded to your SIEM or Log Analytics solution of choice.

scada diagram


NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.