Sending Schneider Citect SCADA logs to Solarwinds Loggly

Share

Collecting logs from Schneider Citect SCADA and sending them to Solarwinds Loggly could be complex because of the unique combination of the log source and the desired destination. In this post, we will look at how you can forward log data from Schneider Citect SCADA to Loggly by incorporating the NXLog log collection tool.

Schneider Citect SCADA

Citect SCADA is a Supervisory Control and Data Acquisition solution from Schneider Electric that is typically deployed in the manufacturing industry for monitoring and controlling production equipment and the delivery of utilities. Citect SCADA can monitor your operational systems in real time and retrieve important plant-related data since it is the primary user interface in your production environment. It is used in large manufacturing plants as well as smaller facilities for analyzing data using enhanced configuration capabilities.

Collecting Citect SCADA logs

Citect SCADA produces a wide variety of logs about its operation. Some of these logs are maintained in Windows Event Log, but most are available only as flat files.

Due to the critical nature and scope of the systems Citect SCADA controls, there is no room for error. Its stable, uninterrupted operation is crucial to plant safety. Although the logs Citect SCADA generates contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its rich features allow it to read almost any log format and parse fields to produce structured data for further processing. It is the perfect tool for monitoring and collecting Citect SCADA logs.

Collecting Citect SCADA logs from Windows Event Log

Windows Event Log is the primary logging facility on the Windows platform. The logs Citect SCADA generates contain driver traffic, updates, and system-related information. Citect SCADA creates two separate Windows Event Log entries for Schneider Electric: SUT Service for Schneider Electric software updates and Runtime Manager logs. It can also read data directly from the Schneider Electric SUT Service source.

Collecting Citect SCADA logs from file

File-based Citect SCADA logs include changelog, syslog, tracelog, and software update logs. These logs are stored in the C:\ProgramData\Schneider Electric\Citect SCADA 2018\Logs directory and, in most cases, do not follow a consistent formatting scheme.

Network Monitoring on Citect SCADA

NXLog has a unique feature that enables it to collect events from the communication channels between Citect SCADA devices and other computers on the network. NXLog’s passive monitoring of network traffic along with its ability to monitor most network protocols commonly used by SCADA systems, and generate logs from such network activity, make it a valuable logging tool when used with Citect SCADA.

The easiest way to collect and normalize Citect SCADA log data is to use NXLog. With its unique capabilities, it can collect logs from literally any file in any format. Given the wide variation in format and structure of such log files, NXLog is ideally suited for these systems.

For more information on integrating NXLog with Citect SCADA, see the Schneider Electric Citect SCADA integration guide.

The sources mentioned above and NXLog’s features play an important role in normalizing logs accepted by Solarwinds Loggly.

Sending logs to Solarwinds Loggly

Solarwinds Loggly is a cloud-based log analysis and monitoring service that provides complete visibility of log data from different sources. NXLog can be configured to send log data to Loggly in syslog format over TCP or via the Loggly API using HTTP(S).

Loggly customer token

Loggly requires a customer token to be included with each event sent to its service. This token is an alpha-numeric string generated when creating a Loggly account. You can find your token on the Logs > Source Setup > Customer Tokens page of the web interface.

Sending logs using TCP

Syslog is the most common way to send data to Loggly. The customer token and any custom tags need to be included in the structured data section of the syslog message. Logs can be sent securely to Loggly using TLS encryption. The Loggly certificate file must be downloaded and placed in a location that NXLog can access.

Sending logs using HTTPS

As part of their API, Loggly provides two HTTP(S) endpoints that accept log data, one for sending single log records and another for sending logs in batches. Data can be sent as plaintext, JSON, or any log format supported by Loggly’s automated parsing. When logs are sent over HTTPS, the Loggly customer token and any custom tags must be included in the URL. The Loggly certificate file must be downloaded and placed in a location that NXLog can access.

For more information on configuring NXLog and sending logs to Solarwinds Loggly, see the Solarwinds Loggly integration guide in the NXLog User Guide.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.