Industrial Control Systems (ICS) is a general name that is used to characterize different types of industrial control systems and their related instrumentation. It includes the devices, systems, networks, and controls used to operate and/or automate industrial processes. SCADA (Supervisory Control and Data Acquisition) is the largest subsystem of ICS which was designed to collect, analyze, and visualize data from industrial equipment.
The industries that rely heavily on ICS are transportation, manufacturing, energy, and water treatment industries to mention a few. There are a number of large companies—like Siemens, Schneider Electric, General Electric, Yokogawa, and Honeywell—that provide ICS solutions for various industries.
Similar to other networked computer systems, ICS generates a wide variety of logs in various formats. Some are channeled through Windows Event Log, some are saved in files and databases, while others might represent network activity logged by passive network monitoring. These logs provide important information, in real time, that can be used to determine the state, health, and security of the industrial systems that generated them.
In Industrial Control Systems, the standardization and formatting of logs are not as mature as in conventional computer systems. This can pose a significant challenge when it is common for a single system or component to generate a set of logs that are stored in the same directory, but the log files have completely different formats. Yet another challenge is the widespread use of industry-specific network protocols ICS needs for communicating with various devices such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, and IEC-61850.
NXLog is a versatile log collection tool capable of collecting logs from all possible sources on ICS and SCADA systems. It supports native log collection from all of the sources you find in Industrial Control Systems.
- Collecting logs from Windows Event Log
Most ICS and SCADA systems provide some logs through Windows Event Log. Each log source in Windows Event Log has a set of Event IDs associated with it. NXLog can filter and parse such logs based on Event IDs by using the im_msvistalog module which collects logs directly from Windows Event Log’s native API.
- Collecting file-based logs
The majority logs created by ICS and SCADA systems are logs as files. In NXLog, the im_file module is responsible for collecting logs from files. With the help of its vast number of configuration options, and the flexibility of the NXLog language, you can collect, parse, normalize and forward literally any log file found in Industrial Control Systems.
With NXLog, you can also collect data from all major databases locally or externally with its im_odbc and im_dbi modules respectively. Likewise, NXLog can passively monitor network traffic. The im_pcap module supports the major protocols used in ICS, such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, IEC-61850, DNP3, etc.
To see a detailed guide on how to collect logs from a specific ICS system, click on its logo below.
|If you do not see your SCADA system here, it does not mean you cannot collect logs from it with NXLog. It simply means that we have yet to document it. If you have a specific query, please contact us.|
With the highly configurable multiple input and output routing capabilities of NXLog, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable.
This highly simplified diagram of centralized logging shows logs from multiple and different sources can be collected and forwarded to a preference of your SIEM or Analytics destination.
GET STARTED TODAY