Sending AVEVA System Platform logs to McAfee ESM

Share

Collecting logs from AVEVA System Platform and sending them to McAfee ESM could be complex because of the unique combination of the log source and the desired destination. This post will show you how to forward log data from AVEVA System Platform to McAfee ESM by incorporating the NXLog log collection tool.

AVEVA System Platform

AVEVA System Platform is a modular and scalable industrial software platform for software solutions focused on industrial automation and engineering personnel, including SCADA, HMI, IIoT, and Manufacturing Execution Systems (MES). AVEVA System Platform supports both the supervisory control layer and the manufacturing execution system (MES) layer, presenting them as a single information source.

Collecting AVEVA System Platform logs

AVEVA System Platform produces a wide variety of logs concerning its operations. Some of those logs are available through Windows Event Log and network monitoring, but most exist as flat files.

AVEVA System Platform controls systems of significant financial and security importance. In mission-critical settings, the timely collection and processing of AVEVA System Platform logs is crucial to the reliability and security of the systems it controls. Even a brief interruption of normal operations could result in catastrophic consequences. However, the sheer diversity of log formats and data structures, and the noise that some of these logs contain, pose severe challenges to most logging software.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most challenging cases log collection may pose. Its rich features allow it to read almost any log format and parse fields to produce structured data for further processing. It is the perfect tool for monitoring and collecting AVEVA System Platform logs.

Collecting AVEVA System Platform logs from Windows Event Log

Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. AVEVA System Platform sends its diagnostic and security-related events, such as user authentication, the state of system components, record modifications, and information about various other services to Windows Event Log. Logs can be read and collected using an Event ID related to AVEVA System Platform or by a given source name.

Collecting AVEVA System Platform logs from file

File-based AVEVA System Platform logs include logs from:

  • ArchestrA system

  • ArchestrA Logger and Log Viewer

  • Historian Search

  • Historian Configuration Exporter error

  • InTouch Access Anywhere

  • License Server

Collecting AVEVA System Platform logs from database tables

AVEVA System Platform reads information from database tables and provides insights into internal components and process-related data such as tag data, process alarms, and process events. Logs are collected from the following databases:

  • System Monitor

  • Runtime

  • Holding

  • Alarm

  • Records from history blocks

AVEVA System Platform Network Monitoring

AVEVA System Platform supports open platform communications (OPC) functionality, SuiteLink, DDE/FastDDE, and ArchestrA Message Exchange. NXLog can passively monitor network traffic and generate logs for most network protocols.

The easiest way to collect and normalize AVEVA System Platform logs is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.

For more information on integrating NXLog with AVEVA System Platform, see the AVEVA System Platform integration guide.

The sources mentioned above and NXLog’s features play an important role in normalizing logs accepted by McAfee ESM.

Sending logs to McAfee ESM

McAfee ESM is a SIEM solution that collects, processes, and correlates events for investigation and incident response. It offers real-time visibility into all activity on systems, networks, databases, and applications.

Log sources

A log source must be added for McAfee ESM to receive events from NXLog. ESM provides a long list of predefined log sources that it can accept, such as DHCP server logs, DNS debug logs, Windows Event Log, to name a few. Each log source type must have a corresponding data source (or parent source) configured in the ESM local receiver.

Forwarding logs

NXLog uses its om_tcp and om_ssl output modules to forward processed logs to McAfee ESM via TCP and TLS/SSL, respectively. TCP is suitable if ESM is installed on the local network, but if installed in the cloud, like in AWS, it is vital to use TLS/SSL for securing data that leaves the local network.

For more information on configuring NXLog and sending logs to McAfee ESM, see the McAfee Enterprise Security Manager (ESM) integration guide in the NXLog User Guide.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.