Sending Schneider Citect SCADA logs to Microsoft Azure Sentinel

Collecting logs from Schneider Citect SCADA and sending them to Microsoft Azure Sentinel could be a complex task due to this unique selection of log sources and target SIEM. In this post we will take a look at how you can forward log data from Schneider Citect SCADA to Microsoft Azure Sentinel using NXLog.

Schneider Citect SCADA

Citect SCADA is a Supervisory Control and Data Acquisition solution from Schneider Electric that is typically deployed in the manufacturing industry for monitoring and controlling production equipment and the delivery of utilities. Both large manufacturing plants as well as smaller facilities use Citect SCADA, where it is valued for its highly configurable data analysis and real-time monitoring capabilities.

Collecting Citect SCADA logs

Citect SCADA produces a wide variety of logs about its operation. Some of the logs are available through Windows Event Log, but most of the logs are in the format of flat files.

Due to the critical nature and scope of the systems Citect SCADA controls, there is no room for errors. Its stable, uninterrupted operation is crucial to plant safety. Although the logs Citect SCADA generates contain valuable information about the systems it controls, the relatively high level of log noise and the lack of a consistent log format present some challenges.

NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. Owing to its rich set of features, it can read almost any log format and parse fields to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting Citect SCADA logs.

Collecting Citect SCADA logs from Windows Event Log

Windows Event Log is the main log aggregation framework on the Windows platform. The logs Citect SCADA generates contain driver traffic, updates, and system related information. Citect SCADA creates two distinct Windows Event Log entries for Schneider Electric: SUT Service for Schneider Electric software updates and Runtime Manager logs. It can also read directly from the Schneider Electric SUT Service source.

Collecting Citect SCADA logs from file

Citect SCADA’s file-based logs include change log, syslog, tracelog as well as software update logs. These logs are stored in the C:\ProgramData\Schneider Electric\Citect SCADA 2018\Logs directory but do not follow a consistent formatting scheme.

Citect SCADA Network Monitoring

NXLog can passively monitor network traffic and generate logs for most network protocols. This ability to log network communication between Citect SCADA devices and controller hosts can provide another valuable log source.

NXLog can also normalize and aggregate Citect SCADA logs. With its ability to collect logs from literally any file, in any format, NXLog is ideally suited for integrating with Citect SCADA’s wide variety of log types and file formats.

For more information on how to integrate NXLog with Citect SCADA, you can find detailed documentation here.

The above mentioned log sources and the features NXLog provides all play an important role when normalizing logs for Microsoft Azure Sentinel to successfully ingest.

Sending logs to Microsoft Azure Sentinel

Azure Sentinel is a SIEM solution offered as a scalable, cloud-native, service within Microsoft Azure. Its main features are security analytics, alert detection, threat intelligence, and threat response. With the comprehensive view of your enterprise’s network security environment that it provides, the response time needed to assess and respond to possible security threats can be greatly reduced.

Log sources

To forward logs to Azure Sentinel from NXLog you should already have a Microsoft Azure Sentinel subscription. Then, you can create a Log Analytics workspace for storing your log data, queries, and functions. By configuring NXLog with your Log Analytics workspace ID, your primary (or secondary) key, and a table name for storing the logs, it can connect to Azure Sentinel, convert any log source on the fly to the format Azure Monitor requires, and finally send the log data securely for ingestion as custom log events. Using the Azure Sentinel dashboard, you can view those ingested events by navigating to General > Overview > Logs. Under the Tables tab, your custom logs will appear with the same table name you chose while configuring NXLog.

Forwarding logs to Azure Sentinel is straightforward with NXLog. All it takes is following a few simple configuration steps.

GET STARTED TODAY: | Contact Us | Free Trial | Get Pricing

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.