Collecting logs from Siemens SIMATIC PCS 7 and sending them to Sumo Logic can be complex because of the unique combination of the log source and the desired destination. This post will show you how to forward log data from SIMATIC PCS 7 to Sumo Logic using the NXLog log collection agent.
Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses many Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating stations (OS), and Automation stations (AS). The PCS 7 AS features the Siemens SIMATIC S7-400 series central processing unit, designed to automate plants requiring many I/O signals and control loops. SIMATIC PCS 7 is commonly used for automation tasks in various industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals, and power generation.
SCADA systems and Siemens have a couple of things in common: they employ a variety of network protocols to facilitate communication between various types of nodes (physical computers, CPUs, distributed I/Os, and field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within corporate networks where such nodes are typically deployed.
SIMATIC PCS 7 produces a wide variety of operational logs. Some are sent to Windows Event Log, but most are stored as flat files.
SIMATIC PCS 7 controls systems that are of significant financial and security importance. In mission-critical settings, the timely collection and processing of SIMATIC PCS 7 logs is crucial to the reliability and security of the systems it controls. However, the sheer diversity of log formats and data structures and the noise that some of these logs contain pose severe challenges to most logging software. A brief interruption of normal operations could result in catastrophic consequences.
NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its features enable it to parse, filter, process, aggregate, and output logs in any structured data format that a SIEM might require. Given its perfect balance of functionality and performance, it is the best choice for collecting and processing SIMATIC PCS 7 logs.
- Collecting SIMATIC PCS 7 logs from Windows Event Log
Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. SIMATIC PCS 7 sends its PC station, NET configuration, adapter operation-related information, and information about various other services to Windows Event Log.
- Collecting SIMATIC PCS 7 logs from file
File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multi-project logs, and Batch logs coming from Automation, Engineering, and Operator stations.
The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.
For more information on integrating NXLog with SIMATIC PCS 7, see the Siemens SIMATIC PCS 7 integration guide.
The sources mentioned above and NXLog’s features play a vital role when normalizing logs accepted by Sumo Logic.
Sumo Logic is a real-time SaaS platform that collects, manages, and analyzes log data while securing cloud-scale applications. NXLog can be configured to send log data to Sumo Logic in syslog format over TCP or via a custom HTTP endpoint. It can also be configured to send host metrics via HTTP.
- Data collection
Sumo Logic accepts data from two types of collectors, installed or hosted. Installed collectors are set up by installing agent software provided by Sumo Logic, whereas hosted collectors are used to send data over TCP or HTTP(S) from agents like NXLog.
- Sending logs using TCP
Sumo Logic accepts log data as syslog messages in IETF (RFC 5424) format and requires sending data using TLS v1.2 over TCP. A Cloud Syslog Source must be created in Sumo Logic to use this method. Syslog messages should fully comply with RFC 5424 guidelines, otherwise Sumo Logic will drop them. Also, it should be noted that messages larger than 64 KB will be truncated.
- Sending logs using HTTPS
Logs and host metrics can be sent to Sumo Logic over HTTP(S) using a unique URL generated for each source. An HTTP Logs & Metrics Source must be created in Sumo Logic for NXLog to be able to send data over HTTPS.
For more information on configuring NXLog and sending logs to Sumo Logic, see the Sumo Logic integration guide in the NXLog User Guide.