Sending Siemens SIMATIC PCS 7 logs to Sumo Logic

Share

Collecting logs from Siemens SIMATIC PCS 7 and sending them to Sumo Logic can be complex because of the unique combination of the log source and the desired destination. This post will show you how to forward log data from SIMATIC PCS 7 to Sumo Logic using the NXLog log collection agent.

Siemens SIMATIC PCS 7

Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses many Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating stations (OS), and Automation stations (AS). The PCS 7 AS features the Siemens SIMATIC S7-400 series central processing unit, designed to automate plants requiring many I/O signals and control loops. SIMATIC PCS 7 is commonly used for automation tasks in various industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals, and power generation.

SCADA systems and Siemens have a couple of things in common: they employ a variety of network protocols to facilitate communication between various types of nodes (physical computers, CPUs, distributed I/Os, and field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within corporate networks where such nodes are typically deployed.

Collecting SIMATIC PCS 7 logs

SIMATIC PCS 7 produces a wide variety of operational logs. Some are sent to Windows Event Log, but most are stored as flat files.

SIMATIC PCS 7 controls systems that are of significant financial and security importance. In mission-critical settings, the timely collection and processing of SIMATIC PCS 7 logs is crucial to the reliability and security of the systems it controls. However, the sheer diversity of log formats and data structures and the noise that some of these logs contain pose severe challenges to most logging software. A brief interruption of normal operations could result in catastrophic consequences.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its features enable it to parse, filter, process, aggregate, and output logs in any structured data format that a SIEM might require. Given its perfect balance of functionality and performance, it is the best choice for collecting and processing SIMATIC PCS 7 logs.

Collecting SIMATIC PCS 7 logs from Windows Event Log

Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. SIMATIC PCS 7 sends its PC station, NET configuration, adapter operation-related information, and information about various other services to Windows Event Log.

Collecting SIMATIC PCS 7 logs from file

File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multi-project logs, and Batch logs coming from Automation, Engineering, and Operator stations.

The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.

For more information on integrating NXLog with SIMATIC PCS 7, see the Siemens SIMATIC PCS 7 integration guide.

The sources mentioned above and NXLog’s features play a vital role when normalizing logs accepted by Sumo Logic.

Sending logs to Sumo Logic

Sumo Logic is a real-time SaaS platform that collects, manages, and analyzes log data while securing cloud-scale applications. NXLog can be configured to send log data to Sumo Logic in syslog format over TCP or via a custom HTTP endpoint. It can also be configured to send host metrics via HTTP.

Data collection

Sumo Logic accepts data from two types of collectors, installed or hosted. Installed collectors are set up by installing agent software provided by Sumo Logic, whereas hosted collectors are used to send data over TCP or HTTP(S) from agents like NXLog.

Sending logs using TCP

Sumo Logic accepts log data as syslog messages in IETF (RFC 5424) format and requires sending data using TLS v1.2 over TCP. A Cloud Syslog Source must be created in Sumo Logic to use this method. Syslog messages should fully comply with RFC 5424 guidelines, otherwise Sumo Logic will drop them. Also, it should be noted that messages larger than 64 KB will be truncated.

Sending logs using HTTPS

Logs and host metrics can be sent to Sumo Logic over HTTP(S) using a unique URL generated for each source. An HTTP Logs & Metrics Source must be created in Sumo Logic for NXLog to be able to send data over HTTPS.

Sumo Logic supports metrics in the Graphite, Carbon 2.0, and Prometheus formats. NXLog can be configured to convert data into practically any desired format. It can read and convert the data to another format on the fly while forwarding, without the need to create a temporary file.

For more information on configuring NXLog and sending logs to Sumo Logic, see the Sumo Logic integration guide in the NXLog User Guide.

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.