Sending Schneider Electric EcoStruxure Process Expert logs to Elastic


Collecting logs from Schneider Electric EcoStruxure Process Expert and sending them to Elastic could be a complex task due to this rather unique combination of log source and SIEM. In this post, we will take a look at how you can forward log data from Process Expert to Elastic using NXLog.

Schneider Electric EcoStruxure Process Expert

Process Expert is a scalable multi-engineering environment and distributed control system (DCS) from Schneider Electric. It is based on a client-server architecture that can easily adapt to the needs and scope of your plant. Process Expert provides numerous advantages, substantially reducing maintenance and engineering costs by centralizing its hardware and software configuration. It does not only reduce human error but also increases plant efficiency by simplifying installation and system design. Due to its unique model and multiuser environment, collaborating on projects is more concurrent, giving engineers the power to work on various tasks simultaneously.

The main components of Process Expert work together seamlessly to play an integral role in monitoring plant operation. The system server manages system data and client requests. The operation clients provide a user-friendly interface for monitoring system components during runtime, while the Engineering clients provide a user interface to access specific software resources. Virtual machines offer software participant services, and the database stores and manages user data.

Process Expert is used in the oil and gas, power generation, chemicals, water, and mining industries.

Collecting Process Expert logs

Process Expert provides valuable information about its operation from the logs it generates. Some of these logs are available through Windows Event Log and network monitoring, but most of them are in the format of flat files.

Due to the critical nature and scope of the systems Process Expert controls, there is no room for error. Its stable, uninterrupted operation is crucial for plant safety. However, this valuable information can sometimes remain hidden in the logs it collects due to excessive log noise. Another challenge is the lack of consistent log formats. The ability to parse data from various log formats is an absolute necessity.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most complex cases log collection may pose. Due to its rich features, it can read almost any log format and parse fields to produce structured data for further processing. It is the perfect tool for monitoring and collecting Process Expert logs for these reasons.

Collecting Schneider Electric EcoStruxure Process Expert logs from Windows Event Log

Windows Event Log is the logging subsystem on the Windows platform. The logs generated by Process Expert include the Data Access log, sysInfo log, Servertrace log, and Communication log. NXLog can easily read and collect these events by specifying a Process Expert source name or event ID from the Application channel of Windows Event Log. A special, lightweight module that can natively read data from WEL provides this functionality.

Collecting Schneider Electric EcoStruxure Process Expert logs from file

Schneider Electric EcoStruxure Process Expert file-based logs include Server log, ServerTrace log, Engineering client log, and Operation log. These logs are stored in the C:\Users\<Username>\AppData\Roaming\Schneider Electric\Process Expert 2020 R2\Logs directory but do not follow a consistent formatting scheme. NXLog’s rich set of features can efficiently read and parse such file-based logs and reliably forward them to your preferred SIEM solution.

Schneider Electric EcoStruxure Process Expert network monitoring

NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication from Schneider Electric EcoStruxure Process Expert, and integrated devices, can provide another valuable log source.

NXLog can also normalize and aggregate Schneider Electric EcoStruxure Process Expert logs. With its ability to collect logs from literally any file, in any format, NXLog is ideally suited for integrating with Process Expert’s wide variety of log types and file formats.

For more information on integrating NXLog with Schneider Electric EcoStruxure Process Expert, see the Schneider Electric EcoStruxure Process Expert integration guide.

The above-mentioned log sources and the features NXLog provides, all play an important role when normalizing logs in order to be accepted by Elastic.

Sending logs to Elastic

Elasticsearch is a search engine and document database for storing, searching, and analyzing log data that you can deploy locally. On the other hand, Elastic Cloud is a SaaS solution that adds value to Elastic with its cloud-native features, such as managed enterprise search, data visualization, and security.

NXLog can integrate with both products by collecting and sending logs or as a relay, aggregating logs it receives from various sources and forwarding them.

Elasticsearch logs

NXLog Enterprise Edition provides the om_elasticsearch output module that supports sending logs in bulk to Elasticsearch. With the NXLog Community Edition, the om_http module sends logs to Elasticsearch for low-volume logging scenarios. Because it sends a request to the Elasticsearch HTTP REST API for each event, HTTP request and response latency limit the maximum logging throughput.

Elastic Cloud logs

The Elasticsearch REST API is used to send logs to the Elastic cloud. For NXLog to connect to the API, it requires an API key, the Elasticsearch endpoint, and the Elastic Cloud CA certificate. These requirements are configured on the main menu under Management > Stack Management.

You can view the log records by logging in to your Elastic Cloud instance. Navigate to Analytics > Discover from the main menu, then select the relevant index pattern to display the data.

For more information on configuring NXLog and sending logs to Elasticsearch and Elastic Cloud respectively, please visit the Elasticsearch and Kibana and Elastic Cloud integration sections in the NXLog User Guide.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.