Collecting logs from Schneider Citect SCADA and sending them to IBM QRadar could be a complex task because of the unique combination of the log source and the desired destination. In this post we will take a look at how you can forward log data from Schneider Citect SCADA to IBM QRadar using the NXLog log collection tool.
Citect SCADA is a Supervisory Control and Data Acquisition solution from Schneider Electric that is typically deployed in the manufacturing industry for monitoring and controlling production equipment and the delivery of utilities. Citect SCADA can monitor your operational systems in real time and retrieve important plant-related data since it is the primary user interface in your production environment. It is used in large manufacturing plants as well as smaller facilities for analyzing data using enhanced configuration capabilities.
Citect SCADA produces a wide variety of logs about its operation. Some of these logs are maintained in Windows Event Log, but most are available only as flat files.
Due to the critical nature and scope of the systems Citect SCADA controls, there is no room for error. Its stable, uninterrupted operation is crucial to plant safety. Although the logs Citect SCADA generates contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.
NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its rich features allow it to read almost any log format and parse fields to produce structured data for further processing. It is the perfect tool for monitoring and collecting Citect SCADA logs.
- Collecting Citect SCADA logs from Windows Event Log
Windows Event Log is the primary logging facility on the Windows platform. The logs Citect SCADA generates contain driver traffic, updates, and system-related information. Citect SCADA creates two separate Windows Event Log entries for Schneider Electric: SUT Service for Schneider Electric software updates and Runtime Manager logs. It can also read data directly from the Schneider Electric SUT Service source.
- Collecting Citect SCADA logs from file
File-based Citect SCADA logs include changelog, syslog, tracelog, and software update logs. These logs are stored in the C:\ProgramData\Schneider Electric\Citect SCADA 2018\Logs directory and, in most cases, do not follow a consistent formatting scheme.
- Network Monitoring on Citect SCADA
NXLog has a unique feature that enables it to collect events from the communication channels between Citect SCADA devices and other computers on the network. NXLog’s passive monitoring of network traffic along with its ability to monitor most network protocols commonly used by SCADA systems, and generate logs from such network activity, make it a valuable logging tool when used with Citect SCADA.
The easiest way to collect and normalize Citect SCADA log data is to use NXLog. With its unique capabilities, it can collect logs from literally any file in any format. Given the wide variation in format and structure of such log files, NXLog is ideally suited for these systems.
For more information on integrating NXLog with Citect SCADA, see the Schneider Electric Citect SCADA integration guide.
The above mentioned log sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by QRadar.
IBM QRadar is a Security Information and Event Management (SIEM) system, which accepts log data for further analysis, correlation, and threat intelligence. Its primary role is to identify known or potential threats, provide alerting and reports, as well as aid incident investigations.
For QRadar to accept logs from NXLog, appliances need to be configured with the appropriate log source in QRadar. This can be done by navigating from the menu to data sources, events, and then log sources. Here, a log source can be set that is either specific or generic.
- Generic structured logs
Setting up a generic log source in IBM QRadar is essential for log sources that are not among QRadar’s set of predefined log source types. Once a generic log source is defined, logs can be sent to QRadar using LEEF (Log Event Extended Format).
- Specific log types
IBM QRadar provides many log source types that are predefined, making it easier to collect and send a large number of log types to it natively, such as those in Windows Event Log, DHCP server logs, DNS debug logs, Microsoft Exchange Server logs, as well as Microsoft SQL logs.
Forwarding logs to IBM QRadar is straightforward with NXLog, and it can be accomplished with TCP or even TLS/SSL if security is a main concern.