Collecting logs from Siemens SIMATIC PCS 7 and sending them to McAfee ESM can be a complex task because of the unique combination of the log source and the desired destination. In this post, we will take you through the process of forwarding log data from SIMATIC PCS 7 to ESM using the NXLog log collection agent.
Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses many Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating stations (OS), and Automation stations (AS). The PCS 7 AS features the Siemens SIMATIC S7-400 series central processing unit, designed to automate plants requiring many I/O signals and control loops. SIMATIC PCS 7 is commonly used for automation tasks in various industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals, and power generation.
SCADA systems and Siemens have a couple of things in common: they employ a variety of network protocols to facilitate communication between various types of nodes (physical computers, CPUs, distributed I/Os, and field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within corporate networks where such nodes are typically deployed.
SIMATIC PCS 7 produces a wide variety of operational logs. Some are sent to Windows Event Log, but most are stored as flat files.
SIMATIC PCS 7 controls systems that are of significant financial and security importance. In mission-critical settings, the timely collection and processing of SIMATIC PCS 7 logs is crucial to the reliability and security of the systems it controls. However, the sheer diversity of log formats and data structures and the noise that some of these logs contain pose severe challenges to most logging software. A brief interruption of normal operations could result in catastrophic consequences.
NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its features enable it to parse, filter, process, aggregate, and output logs in any structured data format that a SIEM might require. Given its perfect balance of functionality and performance, it is the best choice for collecting and processing SIMATIC PCS 7 logs.
- Collecting SIMATIC PCS 7 logs from Windows Event Log
Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. SIMATIC PCS 7 sends its PC station, NET configuration, adapter operation-related information, and information about various other services to Windows Event Log.
- Collecting SIMATIC PCS 7 logs from file
File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multi-project logs, and Batch logs coming from Automation, Engineering, and Operator stations.
The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.
For more information on integrating NXLog with SIMATIC PCS 7, see the Siemens SIMATIC PCS 7 integration guide.
The sources mentioned above and NXLog’s features play a vital role when normalizing logs to be accepted by McAfee ESM.
McAfee ESM is a SIEM solution that collects, processes, and correlates events for investigation and incident response. It offers real-time visibility into all activity on systems, networks, databases, and applications.
- Log sources
A log source must be added for McAfee ESM to receive events from NXLog. ESM provides a long list of predefined log sources that it can accept, such as DHCP server logs, DNS debug logs, Windows Event Log, to name a few. Each log source type must have a corresponding data source (or parent source) configured in the ESM local receiver.
- Forwarding logs
NXLog uses its om_tcp and om_ssl output modules to forward processed logs to McAfee ESM via TCP and TLS/SSL, respectively. TCP is suitable if ESM is installed on the local network, but if installed in the cloud, like in AWS, it is vital to use TLS/SSL for securing data that leaves the local network.
For more information on configuring NXLog and sending logs to McAfee ESM, see the McAfee Enterprise Security Manager (ESM) integration guide in the NXLog User Guide.