Sending Siemens SIMATIC PCS 7 logs to Splunk

Collecting logs from Siemens SIMATIC PCS 7 and sending them to Splunk can be a complex task because of the unique combination of the log source and the desired destination. In this post we will show you how you can forward log data from SIMATIC PCS 7 to Splunk using the NXLog log collection agent.


Siemens SIMATIC PCS 7 is a distributed control system (DCS) solution that uses many Siemens hardware components supported and configured by PCS 7 software tools. Deployments usually consist of Engineering stations (ES), Operating stations (OS), and Automation stations (AS). The PCS 7 AS features the Siemens SIMATIC S7-400 series central processing unit, designed to automate plants requiring many I/O signals and control loops. SIMATIC PCS 7 is commonly used for automation tasks in various industrial sectors such as chemicals, petrochemicals, water treatment, pharmaceuticals, and power generation.

SCADA systems and Siemens have a couple of things in common: they employ a variety of network protocols to facilitate communication between various types of nodes (physical computers, CPUs, distributed I/Os, and field devices) and SCADA for storing data. Consequently, both solutions are firmly integrated within corporate networks where such nodes are typically deployed.

Collecting SIMATIC PCS 7 logs

SIMATIC PCS 7 produces a wide variety of operational logs. Some are sent to Windows Event Log, but most are stored as flat files.

SIMATIC PCS 7 controls systems that are of significant financial and security importance. In mission-critical settings, the timely collection and processing of SIMATIC PCS 7 logs is crucial to the reliability and security of the systems it controls. However, the sheer diversity of log formats and data structures and the noise that some of these logs contain pose severe challenges to most logging software. A brief interruption of normal operations could result in catastrophic consequences.

NXLog Enterprise Edition is a lightweight, modular log collection tool capable of tackling the most demanding cases log collection may pose. Its features enable it to parse, filter, process, aggregate, and output logs in any structured data format that a SIEM might require. Given its perfect balance of functionality and performance, it is the best choice for collecting and processing SIMATIC PCS 7 logs.

Collecting SIMATIC PCS 7 logs from Windows Event Log

Many applications send their logs directly to Windows Event Log, the preferred logging facility on the Windows platform. SIMATIC PCS 7 sends its PC station, NET configuration, adapter operation-related information, and information about various other services to Windows Event Log.

Collecting SIMATIC PCS 7 logs from file

File-based PCS7 logs include WinCC system diagnostics logs, SQL Server logs of WinCC, OS project logs, AS project logs, Multi-project logs, and Batch logs coming from Automation, Engineering, and Operator stations.

The easiest way to collect and normalize Siemens SIMATIC PCS 7 log data is by deploying NXLog. With its unique capabilities, logs can be collected from literally any file in any format. Given the wide variation in format and structure of such log files, its versatility is ideal for these systems.

For more information on integrating NXLog with SIMATIC PCS 7, see the Siemens SIMATIC PCS 7 integration guide.

The above mentioned sources, and the features NXLog provides all play an important role when normalizing logs in order to be accepted by Splunk.

Sending logs to Splunk

Splunk is a platform for data collection, searching, indexing, and data visualization. It accepts logs forwarded via TLS, TCP, UDP or HTTP and can ingest both structured or unstructured data from a multitude of sources.

Generic structured logs

To send logs via HTTP, Splunk’s HTTP event collector handles HTTP requests with either raw data payloads or formatted as JSON objects. To send logs via TCP or UDP you will need to set up the appropriate data input and specify the transmission protocol. To do this, use the Splunk dashboard to set up a new data input following their configuration guidelines. Alternatively, to send logs via TLS, you will need to edit your configuration files to generate the required security certificates.

Specific structured logs

Windows Event Log data can be forwarded to Splunk in XML format by installing the Splunk Add-on for Windows version 6.0.0. To reliably forward SICAM PAS/PQS logs to Splunk, all you need to do is specify Splunk’s network socket address along with the path and file names of the log files in your NXLog configuration file.

For more information on how to configure NXLog and send logs to Splunk, please visit the Splunk section in the NXLog User Guide.

GET STARTED TODAY: | Contact Us | Free Trial | Get Pricing

NXLog Ltd. develops multi-platform log collection tools that support many different log sources, formats, transports, and integrations. The tools help administrators collect, parse, and forward logs so they can more easily respond to security issues, investigate operational problems, and analyze event data. NXLog distributes the free and open source NXLog Community Edition and offers additional features and support with the NXLog Enterprise Edition.

This document is provided for informational purposes only and is subject to change without notice. Trademarks are the properties of their respective owners.