Sending Siemens SICAM SCC logs to Elastic

Collecting logs from Siemens SICAM SCC and sending them to Elastic could be complex because of the unique combination of the log source and the desired destination. This post will show you how to forward log data from SICAM SCC to Elastic by incorporating the NXLog log collection tool.


Siemens SICAM SCC or SICAM Station Control Center is a human-machine interface (HMI) for multiple power automation systems. Using various integrated communication drivers, SICAM SCC can communicate with SICAM PAS/PQS, SICAM RTUs, bay units, and protection devices that support IEC 61850/IEC 60870-5-104.

SICAM SCC system is scalable and offers efficient engineering for energy automation applications at utilities and industrial enterprises.

Collecting Siemens SICAM SCC logs

Siemens SICAM SCC produces a wide variety of logs concerning its operations. Some of those logs are available through Windows Event Log and network monitoring, but most exist as flat files.

Siemens SICAM SCC controls systems of significant financial and security importance. In mission-critical settings, the timely collection and processing of SICAM SCC logs is crucial to the reliability and security of the systems it controls. Even a brief interruption of normal operations could result in catastrophic consequences. However, the sheer diversity of log formats and data structures, and the noise that some of these logs contain, pose severe challenges to most logging software.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most challenging cases log collection may pose. Its rich features allow it to read almost any log format and parse fields to produce structured data for further processing. It is the perfect tool for monitoring and collecting SICAM SCC logs.

Collecting Siemens SICAM SCC logs from Windows Event Log

Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. Siemens SICAM SCC sends its diagnostic and security-related events, such as user authentication, the state of system components, record modifications, and information about various other services, to Windows Event Log. Logs can be read and collected using an Event ID related to SICAM SCC or by a given source name.

Collecting Siemens SICAM SCC logs from file

File-based SICAM SCC logs include logs from:

  • Dynamic Alarm Filter Configuration trace log

  • Communication Connection trace log

  • Add-in trace log

  • Runtime Data Server trace log

  • Import/Export Wizard trace log

  • SICAM Global Wizard log, SICAM PAS Wizard log, SICAM IEC Wizard log

  • Import/Export Wizard log

  • Report log

Siemens SICAM SCC Network Monitoring

NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication from Siemens SICAM SCC, and integrated devices, can provide another valuable log source.

The easiest way to collect and normalize Siemens SICAM SCC logs is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.

For more information on integrating NXLog with Siemens SICAM SCC, see the Siemens SICAM SCC integration guide.

The sources mentioned above and NXLog’s features play an important role in normalizing logs accepted by Elastic.

Sending logs to Elastic

Elasticsearch is a search engine and document database for storing, searching, and analyzing log data that you can deploy locally. On the other hand, Elastic Cloud is a SaaS solution that adds value to Elastic with its cloud-native features, such as managed enterprise search, data visualization, and security.

NXLog can integrate with both products by collecting and sending logs or as a relay, aggregating logs it receives from various sources and forwarding them.

Elasticsearch logs

NXLog Enterprise Edition provides the om_elasticsearch output module that supports sending logs in bulk to Elasticsearch. With the NXLog Community Edition, the om_http module sends logs to Elasticsearch for low-volume logging scenarios. Because it sends a request to the Elasticsearch HTTP REST API for each event, HTTP request and response latency limit the maximum logging throughput.

Elastic Cloud logs

The Elasticsearch REST API is used to send logs to the Elastic cloud. For NXLog to connect to the API, it requires an API key, the Elasticsearch endpoint, and the Elastic Cloud CA certificate. These requirements are configured on the main menu under Management > Stack Management.

You can view the log records by logging in to your Elastic Cloud instance. Navigate to Analytics > Discover from the main menu, then select the relevant index pattern to display the data.

For more information on configuring NXLog and sending logs to Elasticsearch and Elastic Cloud respectively, please visit the Elasticsearch and Kibana and Elastic Cloud integration sections in the NXLog User Guide.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.