Collecting logs from Industrial Control Systems

Industrial Control Systems (ICS) is a general name that is used to characterize different types of industrial control systems and their related instrumentation. It includes the devices, systems, networks, and controls used to operate and/or automate industrial processes. SCADA (Supervisory Control and Data Acquisition) is the largest subsystem of ICS which was designed to collect, analyze, and visualize data from industrial equipment.

The industries that rely heavily on ICS are transportation, manufacturing, energy, and water treatment industries to mention a few. There are a number of large companies—​like Siemens, Schneider Electric, General Electric, Yokogawa, and Honeywell—​that provide ICS solutions for various industries.

What are the log sources?

Similar to other networked computer systems, ICS generates a wide variety of logs in various formats. Some are channeled through Windows Event Log, some are saved in files and databases, while others might represent network activity logged by passive network monitoring. These logs provide important information, in real time, that can be used to determine the state, health, and security of the industrial systems that generated them.

Challenges in logging from ICS

In Industrial Control Systems, the standardization and formatting of logs are not as mature as in conventional computer systems. This can pose a significant challenge when it is common for a single system or component to generate a set of logs that are stored in the same directory, but the log files have completely different formats. Yet another challenge is the widespread use of industry-specific network protocols ICS needs for communicating with various devices such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, and IEC-61850.

How can NXLog meet these challenges?

NXLog is a versatile log collection tool capable of collecting logs from all possible sources on ICS and SCADA systems. It supports native log collection from all of the sources you find in Industrial Control Systems.

Collecting logs from Windows Event Log

Most ICS and SCADA systems provide some logs through Windows Event Log. Each log source in Windows Event Log has a set of Event IDs associated with it. NXLog can filter and parse such logs based on Event IDs by using the im_msvistalog module which collects logs directly from Windows Event Log’s native API.

Collecting file-based logs

The majority logs created by ICS and SCADA systems are logs as files. In NXLog, the im_file module is responsible for collecting logs from files. With the help of its vast number of configuration options, and the flexibility of the NXLog language, you can collect, parse, normalize and forward literally any log file found in Industrial Control Systems.

With NXLog, you can also collect data from all major databases locally or externally with its im_odbc and im_dbi modules respectively. Likewise, NXLog can passively monitor network traffic. The im_pcap module supports the major protocols used in ICS, such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, IEC-61850, DNP3, etc.

Currently supported ICS and SCADA systems

To see a detailed guide on how to collect logs from a specific ICS system, click on its logo below.

citect scada
simatic pcs7
ge digital
yokogawa fast tools
If you do not see your SCADA system here, it does not mean you cannot collect logs from it with NXLog. It simply means that we have yet to document it. If you have a specific query, please contact us.

Aggregate ICS logs from multiple sources to any destination

With the highly configurable multiple input and output routing capabilities of NXLog, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable.

This highly simplified diagram of centralized logging shows logs from multiple and different sources can be collected and forwarded to a preference of your SIEM or Analytics destination.

scada diagram


NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.