Collecting logs from Siemens SIMATIC PCS 7 and sending them to Microsoft Azure Sentinel could be a complex task because of the unique combination of log source and the desired destination. In this post we will take a look at how you can forward log data from Siemens SIMATIC PCS 7 to Microsoft Azure Sentinel by incorporating the NXLog log collection tool.
Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses many Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating stations (OS), and Automation stations (AS). The PCS 7 AS features the Siemens SIMATIC S7-400 series central processing unit, designed to automate plants requiring many I/O signals and control loops. SIMATIC PCS 7 is commonly used for automation tasks in various industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals, and power generation.
SCADA systems and Siemens have a couple of things in common: they employ a variety of network protocols to facilitate communication between various types of nodes (physical computers, CPUs, distributed I/Os, and field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within corporate networks where such nodes are typically deployed.
SIMATIC PCS 7 produces a wide variety of operational logs. Some are sent to Windows Event Log, but most are stored as flat files.
SIMATIC PCS 7 controls systems that are of significant financial and security importance. In mission-critical settings, the timely collection and processing of SIMATIC PCS 7 logs is crucial to the reliability and security of the systems it controls. However, the sheer diversity of log formats and data structures and the noise that some of these logs contain pose severe challenges to most logging software. A brief interruption of normal operations could result in catastrophic consequences.
NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its features enable it to parse, filter, process, aggregate, and output logs in any structured data format that a SIEM might require. Given its perfect balance of functionality and performance, it is the best choice for collecting and processing SIMATIC PCS 7 logs.
- Collecting SIMATIC PCS 7 logs from Windows Event Log
Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. SIMATIC PCS 7 sends its PC station, NET configuration, adapter operation-related information, and information about various other services to Windows Event Log.
- Collecting SIMATIC PCS 7 logs from file
File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multi-project logs, and Batch logs coming from Automation, Engineering, and Operator stations.
The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.
For more information on integrating NXLog with SIMATIC PCS 7, see the Siemens SIMATIC PCS 7 integration guide.
The above mentioned log sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by Microsoft Azure Sentinel.
Azure Sentinel is a SIEM solution offered as a scalable, cloud-native, service within Microsoft Azure. Its main features are security analytics, alert detection, threat intelligence, and threat response. With the comprehensive view of your enterprise’s network security environment that it provides, the response time needed to assess and respond to possible security threats can be greatly reduced.
- Log sources
To forward logs to Azure Sentinel from NXLog you should already have a Microsoft Azure Sentinel subscription. Then, you can create a Log Analytics workspace for storing your log data, queries, and functions. By configuring NXLog with your Log Analytics workspace ID, your primary (or secondary) key, and a table name for storing the logs, it can connect to Azure Sentinel, convert any log source on the fly to the format Azure Monitor requires, and finally send the log data securely for ingestion as custom log events. Using the Azure Sentinel dashboard, you can view those ingested events by navigating to General > Overview > Logs. Under the Tables tab, your custom logs will appear with the same table name you chose while configuring NXLog.
Forwarding logs to Azure Sentinel is straightforward with NXLog. All it takes is following a few simple configuration steps.