Collecting logs from General Electric CIMPLICITY and sending them to McAfee ESM could be complex due to this unique combination of log sources and destination SIEM. In this post, we will look at how you can forward log data from GE CIMPLICITY to McAfee ESM using NXLog.
General Electric CIMPLICITY is a human-machine interface (HMI) and SCADA system solution based on a client-server architecture of servers and viewers. This architecture allows viewers to visualize data and control actions within plants located across the globe. The server’s primary function is to collect and distribute data. A viewer has full access to the data a server has collected once it has connected to that server. The ability to seamlessly network servers and viewers for the purpose of sharing data, configurations, and screens eliminates duplicate work and data. This efficient management of resources facilitates faster access to critical data needed for decision-making. Cimplicity is used in some of the largest manufacturing factories around the world.
CIMPLICITY produces a wide variety of logs about its operations. Some of the logs are available through Windows Event Log and network monitoring, but most of the logs are in the format of flat files.
Due to the critical nature and scope of the systems CIMPLICITY controls, there is no room for errors. Its stable, uninterrupted operation is crucial to plant safety. Although CIMPLICITY logs contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.
NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. Owing to its rich set of features, it can read almost any log format and parse fields to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting CIMPLICITY logs.
- Logging and Archiving
CIMPLICITY provides a database logger which is capable of collecting, analyzing, and creating reports from a variety of ODBC (open database connectivity) complaint databases. You can create, configure, edit tables, and also specify when and what ODBC data source you would like to gather log events from, for any selected process.
- Collecting GE CIMPLICITY logs from Windows Event Log
Windows Event Log is the primary logging facility on the Windows platform. The logs CIMPLICITY services generate contain project log files, system log files, and web configuration services logs. Logs can be read and collected using an event id related to CIMPLICITY or by a given source name.
- Collecting GE CIMPLICITY logs from file
CIMPLICITY’s file-based logs include project status and system status logs, counters log files, protocol stack trace logs, as well as optional OPC client debug tracing. With CIMPLICITY Log Viewer’s powerful capabilities, you can view project status and system status log files in other formats including CSV, ASCII, or TXT.
- GE CIMPLICITY passive network monitoring
NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication between servers and viewers can provide another valuable log source.
Data normalization and log aggregation are other features that NXLog can provide CIMPLICITY. With NXLog’s ability to collect logs from literally any file, in any format, it is ideally suited for integrating with CIMPLICITY’s wide variety of log types and file formats.
For more information on integrating NXLog with Cimplicity, see the General Electric CIMPLICITY integration guide.
The log sources mentioned above and NXLog’s features play an important role in normalizing logs accepted by McAfee ESM.
McAfee ESM is a SIEM solution that collects, processes, and correlates events for investigation and incident response. It offers real-time visibility into all activity on systems, networks, databases, and applications.
- Log sources
A log source must be added for McAfee ESM to receive events from NXLog. ESM provides a long list of predefined log sources that it can accept, such as DHCP server logs, DNS debug logs, Windows Event Log, to name a few. Each log source type must have a corresponding data source (or parent source) configured in the ESM local receiver.
- Forwarding logs
NXLog uses its om_tcp and om_ssl output modules to forward processed logs to McAfee ESM via TCP and TLS/SSL, respectively. TCP is suitable if ESM is installed on the local network, but if installed in the cloud, like in AWS, it is vital to use TLS/SSL for securing data that leaves the local network.
For more information on configuring NXLog and sending logs to McAfee ESM, see the McAfee Enterprise Security Manager (ESM) integration guide in the NXLog User Guide.