Collecting logs from General Electric CIMPLICITY and sending them to Graylog could be a complex task due to this rather unique combination log sources and destination. In this post, we will take a look at how you can forward log data from GE CIMPLICITY to Graylog using NXLog.
General Electric CIMPLICITY is a human-machine interface (HMI) and SCADA system solution based on a client-server architecture of servers and viewers. This architecture allows viewers to visualize data and control actions within plants located across the globe. The server’s primary function is to collect and distribute data. A viewer has full access to the data a server has collected once it has connected to that server. The ability to seamlessly network servers and viewers for the purpose of sharing data, configurations, and screens eliminates duplicate work and data. This efficient management of resources facilitates faster access to critical data needed for decision-making. Cimplicity is used in some of the largest manufacturing factories around the world.
CIMPLICITY produces a wide variety of logs about its operations. Some of the logs are available through Windows Event Log and network monitoring, but most of the logs are in the format of flat files.
Due to the critical nature and scope of the systems CIMPLICITY controls, there is no room for errors. Its stable, uninterrupted operation is crucial to plant safety. Although CIMPLICITY logs contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.
NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. Owing to its rich set of features, it can read almost any log format and parse fields to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting CIMPLICITY logs.
- Logging and Archiving
CIMPLICITY provides a database logger which is capable of collecting, analyzing, and creating reports from a variety of ODBC (open database connectivity) complaint databases. You can create, configure, edit tables, and also specify when and what ODBC data source you would like to gather log events from, for any selected process.
- Collecting GE CIMPLICITY logs from Windows Event Log
Windows Event Log is the primary logging facility on the Windows platform. The logs CIMPLICITY services generate contain project log files, system log files, and web configuration services logs. Logs can be read and collected using an event id related to CIMPLICITY or by a given source name.
- Collecting GE CIMPLICITY logs from file
CIMPLICITY’s file-based logs include project status and system status logs, counters log files, protocol stack trace logs, as well as optional OPC client debug tracing. With CIMPLICITY Log Viewer’s powerful capabilities, you can view project status and system status log files in other formats including CSV, ASCII, or TXT.
- GE CIMPLICITY passive network monitoring
NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication between servers and viewers can provide another valuable log source.
Data normalization and log aggregation are other features that NXLog can provide CIMPLICITY. With NXLog’s ability to collect logs from literally any file, in any format, it is ideally suited for integrating with CIMPLICITY’s wide variety of log types and file formats.
For more information on integrating NXLog with Cimplicity, see the General Electric CIMPLICITY integration guide.
The above mentioned log sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by Graylog.
Graylog is a popular open source log collection tool that supports centralized log collection, data visualization, searching, and analysis. With its wide range of features, Graylog allows your security team to more effectively monitor the security of your IT infrastructure and to swiftly identify and act on security incidents.
To enable logs to be accepted by Graylog, from NXLog, you must first set up your appliance with the appropriate input source, in the Graylog web interface. This is done simply by navigating to system and then inputs. Here, you can establish if the input source is via UDP or TCP. However, if choosing to send logs over TLS (Transport Layer Security), you must configure your TLS certification file as well as your TLS private key file.
- Log sources
Setting up a generic log source in Graylog is important if you wish to send logs from a source that is not among Graylog’s list of predefined log sources. This can be achieved by sending logs to Graylog using GELF (Graylog Extended Log Format).
Forwarding logs to Graylog with NXlog is straightforward and can be accomplished by following simple configuration steps.