Collecting logs from General Electric CIMPLICITY and sending them to Microsoft Azure Sentinel could be a complex task due to this rather unique combination log sources and destination. In this post, we will take a look at how you can forward log data from GE CIMPLICITY to Microsoft Azure Sentinel using NXLog.
General Electric CIMPLICITY
General Electric CIMPLICITY is a human-machine interface (HMI) and SCADA system solution based on a client-server architecture of servers and viewers. This architecture allows viewers to visualize data and control actions within plants located across the globe. The server’s primary function is to collect and distribute data. A viewer has full access to the data a server has collected once it has connected to that server. The ability to seamlessly network servers and viewers for the purpose of sharing data, configurations, and screens eliminates duplicate work and data. This efficient management of resources facilitates faster access to critical data needed for decision-making. Cimplicity is used in some of the largest manufacturing factories around the world.
Collecting GE CIMPLICITY logs
CIMPLICITY produces a wide variety of logs about its operations. Some of the logs are available through Windows Event Log and network monitoring, but most of the logs are in the format of flat files.
Due to the critical nature and scope of the systems CIMPLICITY controls, there is no room for errors. Its stable, uninterrupted operation is crucial to plant safety. Although CIMPLICITY logs contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.
NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. Owing to its rich set of features, it can read almost any log format and parse fields to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting CIMPLICITY logs.
- Logging and Archiving
-
CIMPLICITY provides a database logger which is capable of collecting, analyzing, and creating reports from a variety of ODBC (open database connectivity) complaint databases. You can create, configure, edit tables, and also specify when and what ODBC data source you would like to gather log events from, for any selected process.
- Collecting GE CIMPLICITY logs from Windows Event Log
-
Windows Event Log is the primary logging facility on the Windows platform. The logs CIMPLICITY services generate contain project log files, system log files, and web configuration services logs. Logs can be read and collected using an event id related to CIMPLICITY or by a given source name.
- Collecting GE CIMPLICITY logs from file
-
CIMPLICITY’s file-based logs include project status and system status logs, counters log files, protocol stack trace logs, as well as optional OPC client debug tracing. With CIMPLICITY Log Viewer’s powerful capabilities, you can view project status and system status log files in other formats including CSV, ASCII, or TXT.
- GE CIMPLICITY passive network monitoring
-
NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication between servers and viewers can provide another valuable log source.
Data normalization and log aggregation are other features that NXLog can provide CIMPLICITY. With NXLog’s ability to collect logs from literally any file, in any format, it is ideally suited for integrating with CIMPLICITY’s wide variety of log types and file formats.
For more information on integrating NXLog with Cimplicity, see the General Electric CIMPLICITY integration guide.
The above mentioned log sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by Microsoft Azure Sentinel.
Sending logs to Microsoft Azure Sentinel
Azure Sentinel is a SIEM solution offered as a scalable, cloud-native, service within Microsoft Azure. Its main features are security analytics, alert detection, threat intelligence, and threat response. With the comprehensive view of your enterprise’s network security environment that it provides, the response time needed to assess and respond to possible security threats can be greatly reduced.
- Log sources
-
To forward logs to Azure Sentinel from NXLog you should already have a Microsoft Azure Sentinel subscription. Then, you can create a Log Analytics workspace for storing your log data, queries, and functions. By configuring NXLog with your Log Analytics workspace ID, your primary (or secondary) key, and a table name for storing the logs, it can connect to Azure Sentinel, convert any log source on the fly to the format Azure Monitor requires, and finally send the log data securely for ingestion as custom log events. Using the Azure Sentinel dashboard, you can view those ingested events by navigating to General > Overview > Logs. Under the Tables tab, your custom logs will appear with the same table name you chose while configuring NXLog.
Forwarding logs to Azure Sentinel is straightforward with NXLog. All it takes is following a few simple configuration steps.