Sending Schneider Citect SCADA logs to IBM QRadar

Collecting logs from Schneider Citect SCADA and sending them to IBM QRadar could be a complex task because of the unique combination of the log source and the desired destination. In this post we will take a look at how you can forward log data from Schneider Citect SCADA to IBM QRadar using the NXLog log collection tool.

Schneider Citect SCADA

Citect SCADA is a Supervisory Control and Data Acquisition solution from Schneider Electric that is typically deployed in the manufacturing industry for monitoring and controlling production equipment and the delivery of utilities. It is used for both large manufacturing plants as well as smaller facilities, allowing you to analyze data using enhanced configuration capabilities. Citect SCADA can monitor your operational systems in real time and retrieve important plant-related data since it is the main user interface in your production environment.

Collecting Citect SCADA logs

Citect SCADA produces a wide variety of logs about its operation. Some of the logs are available through Windows Event Log, but most of the logs are in the format of flat files.

Due to the critical nature and scope of the systems Citect SCADA controls, there is no room for errors. Its stable, uninterrupted operation is crucial to plant safety. Although the logs Citect SCADA generates contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.

NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. Owing to its rich set of features, it can read almost any log format and parse fields to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting Citect SCADA logs.

Collecting Citect SCADA logs from Windows Event Log

Windows Event Log is the main log aggregation framework on the Windows platform. The logs Citect SCADA generates contain driver traffic, updates, and system related information. Citect SCADA creates two distinct Windows Event Log entries for Schneider Electric: SUT Service for Schneider Electric software updates and Runtime Manager logs. It can also read directly from the Schneider Electric SUT Service source.

Collecting Citect SCADA logs from file

File-based logs of Citect SCADA include; change log, syslog, tracelog as well as software update logs. These logs are stored in the C:\ProgramData\Schneider Electric\Citect SCADA 2018\Logs directory and, in most cases, do not follow a consistent formatting scheme.

Citect SCADA Network Monitoring

NXLog provides support to passively monitor network traffic by generating logs for various protocols. This capability of NXLog is another valuable source for collecting events based on the network communication to and from Citect SCADA devices and controller computers.

The easiest way to collect and normalize Citect SCADA log data is to use NXLog. With its unique capabilities, it can collect logs from literally any file, in any format. Given the wide variation in format and structure of such log files, NXLog is ideally suited for these systems.

For more information on how to integrate NXLog with Citect SCADA, you can find detailed documentation here.

The above mentioned log sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by QRadar.

Sending logs to IBM QRadar

IBM QRadar is a Security Information and Event Management (SIEM) system, which accepts log data for further analysis, correlation and threat intelligence. Its primary role is to identify known or potential threats, provide alerting and reports, as well as aid incident investigations.

To enable logs to be accepted by QRadar from NXLog you must set up your appliance with the appropriate log source in the QRadar web interface. This can by done simply by navegating from the menu to data sources, events and then finally log sources. Here, you can set a log source that is either specific or generic.

Generic structured logs

Setting up a generic log source in IBM QRadar is important when you want to send logs from a source which QRadar does not have as a predefined log source type. This can be achieved by sending logs to QRadar using LEEF (Log Event Extended Format).

Specific log types

IBM QRadar provides many log source types that are predefined, making it easier to collect and send a large number of log types to it natively, such as, those in Windows Event Log, DHCP server logs, DNS debug logs, Microsoft Exchange Server logs as well as Microsoft SQL logs.

Forwarding logs to IBM QRadar is straightforward with NXLog, and it can be accomplished with TCP or even TLS/SSL if security is a main concern.

GET STARTED TODAY: | Contact Us | Free Trial | Get Pricing

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.