Sending Siemens SIMATIC PCS 7 logs to Splunk

Collecting logs from Siemens SIMATIC PCS 7 and sending them to Splunk can be a complex task because of the unique combination of the log source and the desired destination. In this post we will show you how you can forward log data from SIMATIC PCS 7 to Splunk using the NXLog log collection agent.


Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses a large number of Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating Stations (OS), and Automation stations (AS). The PCS 7 AS comprises the Siemens SIMATIC S7-400 series central processing unit, typical use of which is the automation of plants that require a large number of I/O signals and control loops. SIMATIC PCS 7 is commonly used for various automation tasks in industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals and power generation.

SCADA systems and Siemens share a couple of things in common: they employ a variety of network protocols to facilitate communication between various type of nodes (physical computers, CPUs, distributed I/Os, as well as field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within the corporate networks where those nodes are deployed.

Collecting SIMATIC PCS 7 logs

SIMATIC PCS 7 produces a wide variety of logs about its operation. Some of the logs are available through Windows Event Log, but most of the logs are stored as flat files.

Because of the nature and size of the systems controlled by Siemens SIMATIC PCS 7, continuous and safe operation is a must with no room for errors or trade-offs. The logs produced by SIMATIC PCS 7 can provide crucial information about the operation of the entire system it controls. However, the inconsistent formatting and the noisiness of the logs could present some challenges.

NXLog Enterprise Edition is a lightweight, modular log collection tool, capable of tackling the most demanding cases log collection may pose. It possesses a wide range of features that enable it to parse almost any format to produce structured data for further processing. For these reasons, it is the perfect tool for monitoring and collecting SIMATIC PCS 7 logs.

Collecting SIMATIC PCS 7 logs from Windows Event Log

Windows Event Log is the main log aggregation framework for the Windows platform. The logs created by SIMATIC PCS 7 contain PC station, NET configuration, and adapter operation related information, as well as information about various other services.

Collecting SIMATIC PCS 7 logs from file

File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multiproject logs as well as Batch logs coming from Automation, Engineering, and Operator stations.

The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is to collect them with NXLog. With its unique capabilities, logs can be collected from literally any file, in any format. Given the wide variation in format and structure of such log files, its versatility is ideally suited for these systems.

For more information on how to integrate NXLog with SIMATIC PCS 7, you can find detailed documentation here.

The above mentioned sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by Splunk.

Sending logs to Splunk

Splunk is a platform for data collection, searching, indexing, and data visualization. It accepts logs forwarded via TLS, TCP, UDP or HTTP and can ingest both structured or unstructured data from a multitude of sources.

Generic structured logs

To send logs via HTTP, Splunk’s HTTP event collector handles HTTP requests with either raw data payloads or formatted as JSON objects. To send logs via TCP or UDP you will need to set up the appropriate data input and specify the transmission protocol. To do this, use the Splunk dashboard to set up a new data input following their configuration guidelines. Alternatively, to send logs via TLS, you will need to edit your configuration files to generate the required security certificates.

Specific structured logs

Windows Event Log data can be forwarded to Splunk in XML format by installing the Splunk Add-on for Windows version 6.0.0. To reliably forward Citect SCADA logs to Splunk, all you need to do is specify Splunk’s network socket address along with the path and file names of the log files in your NXLog configuration file.

For more information on how to configure NXLog and send logs to Splunk, please visit the Splunk section in the NXLog User Guide.

GET STARTED TODAY: | Contact Us | Free Trial | Get Pricing

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.