Siemens SICAM SCC

Siemens SICAM SCC or SICAM Station Control Center is a human-machine interface (HMI) for multiple power automation systems.

Types of logs

NXLog Agent can read and process SICAM SCC log data from the following sources:

Logs in Windows Event Log

NXLog Agent can read Windows Event Log entries generated by SICAM SCC based on their Event ID and event source.

This table contains the SICAM SCC services which generate Windows Event Log data along with their display name and executable path.

Table 1. List of SICAM SCC event sources
Service name Display name Path to executable

CCAgent

CCAgent

C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCAgent.EXE

CCArchiveManagerService

CCArchiveManagerService

C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCArchiveManager.EXE

CCDBUtils

CCDBUtils

C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCDBUtils.EXE

CCEClient

CCEClient

C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCEClient_x64.exe

CCEServer

CCEServer

C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCEServer_x64.exe

CCOPC.XMLWrapper

CCOPC.XMLWrapper

C:\Program Files (x86)\Siemens\WinCC\opc\XMLDataAccess\bin\DA2XML.exe

CCOpcUaImporter

CCOpcUaImporter

C:\Program Files (x86)\Siemens\WinCC\OPC\UAClient\UaConfigServer\CCOpcUaImporter.exe

CCPerfMon

CCPerfMon

C:\Program Files (x86)\Common Files\Siemens\bin\CCPerfMon.exe

CCRedundancyAgent-Service

CCRedundancyAgent-Service

C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCRedundancyAgent.exe

CCRemoteService

CCRemoteService

C:\Program Files (x86)\Common Files\Siemens\bin\CCRemoteService.exe

CcUaDAS

CcUaDAS

C:\Program Files (x86)\Siemens\WinCC\OPC\UAClient\UaDAS\CcUaDAS.exe

NTP

Network Time Protocol

C:\Program Files (x86)\Common Files\Siemens\Energy\NTP\ntpdssl-sag.exe -g -c + C:\Windows\sysWOW64\drivers\etc\ntp.conf

OpcUaServerWinCC

OpcUaServerWinCC

C:\Program Files (x86)\Siemens\WinCC\OPC\UAServer\OpcUaServerWinCC.exe

RedundancyControl

RedundancyControl

C:\Program Files (x86)\Common Files\Siemens\ace\bin\RedundancyControl.exe

RedundancyState

RedundancyState

C:\Program Files (x86)\Common Files\Siemens\ace\bin\RedundancyState.exe

s7oiehsx64

S7DOS Help Service

:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\s7oiehsx64.exe

S7DOS SCP Remote

S7DOS SCP Remote

C:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\S7O.TunnelServiceHost.exe

SCS Distribution Service

SCS Distribution Service

C:\Program Files (x86)\Common Files\Siemens\ACE\bin\SCSDistServiceX.exe

SCSFsX

SCSFsX

C:\Program Files (x86)\Common Files\Siemens\ACE\bin\SCSFsX.exe

SCSMonitor

SCSMonitor

C:\Program Files (x86)\Common Files\Siemens\ace\bin\SCSMX.exe

SIMATIC PnDiscovery Service

SIMATIC PnDiscovery Service

C:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\s7oPNDiscoveryx64.exe

S7TraceServiceX

SIMATIC Trace Service

C:\Program Files\Common Files\Siemens\Automation\TraceEngine\ <br/>bin\S7TraceService64X.exe

CCAlgIAlarmDataCollector

SIMATIC WinCC CCAlgIAlarmDataCollector

C:\Program Files (x86)\Siemens\WinCC\bin\CCAlgIAlarmDataCollector.exe

CCAlgRtServe

SIMATIC WinCC CCAlgRtServer

C:\Program Files (x86)\Siemens\WinCC\bin\CcAlgRtServer.exe

CCCloudConnect

SIMATIC WinCC CCCloudConnect

C:\Program Files (x86)\Siemens\WinCC\bin\CCCloudConnect.exe

CCCSigRTServer

SIMATIC WinCC CCCSigRTServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCCSigRTServer.exe

CCDeltaLoader

SIMATIC WinCC CCDeltaLoader

C:\Program Files (x86)\Siemens\WinCC\bin\CCDeltaLoader.exe

CCLBMRTServer

SIMATIC WinCC CCLBMRTServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCDeltaLoader.exe

CCNSInfo2Provider

SIMATIC WinCC CCNSInfo2Provider

C:\Program Files (x86)\Siemens\WinCC\bin\CCNSInfo2Provider.exe

CCPackageMgr

SIMATIC WinCC CCPackageMgr

C:\Program Files (x86)\Siemens\WinCC\bin\CCPackageMgr.exe

CCProfileServer

SIMATIC WinCC CCProfileServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCProfileServer.exe

CCProjectMgr

SIMATIC WinCC CCProjectMgr

C:\Program Files (x86)\Siemens\WinCC\bin\CCProjectMgr.exe

CCPtmRTServer

SIMATIC WinCC CCPtmRTServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCPtmRTServer.exe

CCSsmRTServer

SIMATIC WinCC CCSsmRTServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCSsmRTServer.exe

CCSystemDiagnosticsHost

SIMATIC WinCC CCSystemDiagnosticsHost

C:\Program Files (x86)\Siemens\WinCC\bin\CCSystemDiagnosticsHost.exe

CCTextServer

SIMATIC WinCC CCTextServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCTextServer.exe

CCTlgServer

SIMATIC WinCC CCTlgServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCTlgServer.exe

CCTMTimeSyncServer

SIMATIC WinCC CCTMTimeSyncServer

C:\Program Files (x86)\Siemens\WinCC\bin\CCTMTimeSyncServer.exe

CCUsrAcv

SIMATIC WinCC CCUsrAcv

C:\Program Files (x86)\Siemens\WinCC\bin\CCUsrAcv.exe

CCRtsLoader

SIMATIC WinCC Data Manager

C:\Program Files (x86)\Siemens\WinCC\bin\CCRtsLoader_x64.exe

CCLicenseService

SIMATIC WinCC License Service

C:\Program Files (x86)\Common Files\Siemens\bin\CCLicenseService.exe

MSSQL$WINCC

SQL Server (WINCC)

C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\sqlservr.exe -sWINCC

SQLAgent$WINCC

SQL Server Agent (WINCC)

C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\SQLAGENT.EXE -i WINCC

MSOLAP$WINCC

SQL Server Analysis Services (WINCC)

C:\Program Files\Microsoft SQL Server\MSAS13.WINCC\OLAP\bin\msmdsrv.exe -s + C:\Program Files\Microsoft SQL Server\ <br/>MSAS13.WINCC\OLAP\Config

SSASTELEMETRY$WINCC

SQL Server Analysis Services CEIP (WINCC)

C:\Program Files\Microsoft SQL Server\MSAS13.WINCC\OLAP\Bin\sqlceip.exe-Service WINCC MSAS

SQLTELEMETRY$WINCC

SQL Server CEIP service (WINCC)

C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\sqlceip.exe-Service WINCC

TraceConceptX

TraceConceptX

C:\Program Files\Common Files\Siemens\SimNetCom\TraceConceptX.exe

TracewindowService_v4.0

TracewindowService_v4.0

C:\Program Files (x86)\Common Files\Siemens\Energy\TraceWindow\v4.0\Siemens.Energy.TracewindowService.exe

XR_CCOPC.XMLWrapper

XR_CCOPC.XMLWrapper

C:\Program Files (x86)\Siemens\WinCC\opc\XMLDataAccess\bin\CCRT2XML.exe

This table contains events that are generated by SICAM SCC and their corresponding Event IDs.

Table 2. Events generated by the SICAM SCC
Event ID Source Event text

3

NTP

<any_message>

257

CCEServer

Service started

4132

S7TraceServiceX.exe

!! Service started !!

5084

MSSQL$WINCC

Setting database option <option_name> for database '<database_name>'

17137

MSSQL$WINCC

Starting up database '<database_name>'

This example demonstrates how to read and process Windows Event Log entries by source name.

Example 1. Processing SICAM SCC logs from Windows Event Log based on the source name
CCRedundancyAgent-Service event sample
Log Name:      Application
Source:        CCRedundancyAgent-Service
Date:          2/25/2021 1:04:06 AM
Event ID:      0
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      WIN-5RU7GP5MI4V
Description:
Service started
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="CCRedundancyAgent-Service" />
    <EventID Qualifiers="0">0</EventID>
    <Level>4</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2021-02-25T09:04:06.915209200Z" />
    <EventRecordID>5952</EventRecordID>
    <Channel>Application</Channel>
    <Computer>WIN-5RU7GP5MI4V</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Service started</Data>
  </EventData>
</Event>

To read Windows Event Log, this NXLog Agent configuration uses the im_msvistalog module. The QueryXML directive of this module specifies the CCDeltaLoader, CCPackageMgr, CCAlgRtServer, and CCRedundancyAgent-Service services.

After reading event entries from these services, they are converted to JSON using the to_json() procedure of the xm_json module.

nxlog.conf
<Extension json>
    Module    xm_json
</Extension>

<Input from_eventlog>
    Module    im_msvistalog
    # An XML query that reads Windows Event Logs based on SourceName
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">*
                    [System[Provider[@Name='CCDeltaLoader' or
                                     @Name='CCPackageMgr' or
                                     @Name='CCAlgRtServer' or
                                     @Name='CCRedundancyAgent-Service']]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
    # Converting to JSON
    Exec      to_json();
</Input>
Output sample in JSON
{
  "EventTime": "2021-02-25T11:04:06.915209+02:00",
  "Hostname": "WIN-5RU7GP5MI4V",
  "Keywords": "36028797018963968",
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 0,
  "SourceName": "CCRedundancyAgent-Service",
  "TaskValue": 0,
  "RecordNumber": 5952,
  "ExecutionProcessID": 0,
  "ExecutionThreadID": 0,
  "Channel": "Application",
  "Message": "Service started",
  "Category": "%1",
  "Opcode": "Info",
  "Data": "Service started",
  "EventReceivedTime": "2021-02-25T11:04:07.164382+02:00",
  "SourceModuleName": "from_eventlog",
  "SourceModuleType": "im_msvistalog"
}
Example 2. Processing SICAM SCC logs from Windows Event Log based on the Event ID

This is a Windows Event Log sample with Event ID 17137 (Starting up database '<database_name>').

Event sample
Log Name:      Application
Source:        MSSQL$WINCC
Date:          2/25/2021 12:08:20 AM
Event ID:      17137
Task Category: Server
Level:         Information
Keywords:      Classic
User:          SYSTEM
Computer:      WIN-5RU7GP5MI4V
Description:
Starting up database 'CC_PAS_PQS__21_01_06_01_20_07'.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="MSSQL$WINCC" />
    <EventID Qualifiers="16384">17137</EventID>
    <Level>4</Level>
    <Task>2</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2021-02-25T08:08:20.931018000Z" />
    <EventRecordID>5933</EventRecordID>
    <Channel>Application</Channel>
    <Computer>WIN-5RU7GP5MI4V</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>CC_PAS_PQS__21_01_06_01_20_07</Data>
    <Binary>F14200000A00000016000000570049004E002D0035005200550037004700500035004D004900340056005C00570049004E00430043000000070000006D00610073007400650072000000</Binary>
  </EventData>
</Event>

To read and process Windows Event Log, this NXLog Agent configuration uses the im_msvistalog module. The Event IDs are specified within the QueryXML directive. Finally, the Exec directive calls the to_json() procedure of the xm_json module to generate the output in JSON.

nxlog.conf
<Extension json>
    Module    xm_json
</Extension>

<Input from_eventlog>
    Module    im_msvistalog
    # XML query for filtering by the Event ID values
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Application">
                <Select Path="Application">
                           *[System[(EventID=0 or EventID=3 or
                            EventID=257 or EventID=4132 or
                            EventID=5084 or EventID=17137)]]
                </Select>
            </Query>
        </QueryList>
    </QueryXML>
    # Converting to JSON
    Exec      to_json();
</Input>
Output sample in JSON
{
  "EventTime": "2021-02-25T00:08:20.931018-08:00",
  "Hostname": "WIN-5RU7GP5MI4V",
  "Keywords": "36028797018963968",
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 17137,
  "SourceName": "MSSQL$WINCC",
  "TaskValue": 2,
  "RecordNumber": 5933,
  "ExecutionProcessID": 0,
  "ExecutionThreadID": 0,
  "Channel": "Application",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Message": "Starting up database 'CC_PAS_PQS__21_01_06_01_20_07'.",
  "Category": "Server",
  "Data": "CC_PAS_PQS__21_01_06_01_20_07",
  "EventData.Binary": "F14200000A00000016000000570049004E002D0035005200550037004700500035004D004900340056005C00570049004E00430043000000070000006D00610073007400650072000000",
  "EventReceivedTime": "2021-02-25T00:08:21.743511-08:00",
  "SourceModuleName": "from_eventlog",
  "SourceModuleType": "im_msvistalog"
}

File-based logs

This table lists the various types of file-based logs that SICAM SCC generates.

Table 3. List of file-based logs
Log name File ext. Location Details

Dynamic Alarm Filter Configuration trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\DAFConfig.log

Dynamic Alarm Filter Configuration trace logs. These logs created by the Dynamic Alarm Filter function which is operated via the SICAM Dynamic Alarm Filter Configurator

SICAM Communication Connection trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\PASChannel_System.log
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\IECChannel_System.log
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SNMPChannel_System.log

The SICAM PAS Protocol Suite, SICAM IEC Communication Suite, and SICAM SNMP Suite configuration logs

SICAM SCC Add-in trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SicamAddin.log

The WinCC Graphics Designer Add-in log for SICAM PAS. This add-in enables graphic object parameterization

SICAM SCC Runtime Data Server trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SICAMRTDataServer.log
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SICAMRTDS_DAF_PlugIn.log

The SICAM SCC Runtime Data Server component processes all process data of the SICAM SCC project

SICAM Import/Export Wizard trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SICAMTeaxWizard.log

The SICAM Import / Export Wizard allows importing TEA-X export files from SICAM PAS / PQS or SITIPE

Other SICAM SCC trace log

.log

C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SCD2SXD.log
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SXD2TEAX.log

-

SICAM Global Wizard log
SICAM PAS Wizard log
SICAM IEC Wizard log

.txt

<SICAM_SCC_project_folder>\GWLog.txt

The SICAM Global Wizard, SICAM PAS Wizard and SICAM IEC Wizard messages are recorded and overwritten in the GWLog.txt file of the project folder

SICAM Import/Export Wizard log

.log

<SICAM_SCC_project_folder>\TeaxWizard.log

Project-related Import\Export Wizard log

Report log

.txt

C:\ProgramData\Siemens\Energy\Report.txt

Any warnings or error messages displayed in the Report window

The following section displays examples to process individual files from the table above, however, NXLog Agent can be configured to process all file-based logs using a universal configuration.

Trace logs

SICAM SCC trace logs can be found in several files located in the C:\ProgramData\Siemens Energy\SICAM SCC\Trace folder, such as:

  • DAFConfig.log

  • SicamAddin.log

  • SICAMRTDataServer.log

  • SICAMRTDS_DAF_PlugIn.log

  • SICAMTeaxWizard.log

  • SCD2SXD.log

  • SXD2TEAX.log

Event entries from these files can be processed using a single NXLog Agent configuration.

Processing of the Communication Connection trace log is explained in a separate example.

Each log entry of this type consists of the following fields:

  • Date

  • Time

  • Type

  • Message

Example 3. Processing Dynamic Alarm Filter Configuration trace log

Messages in the SicamAddin.log file are either in a single-line or a multiline form.

Single-line event sample
Date       Time     | Type       | Message
-----------------------------------------------------
24.02.2021 03:56:31 | Info       | Picture 'NewPdl0.Pdl' opened
Multiline event sample
Date       Time     | Type       | Message
-----------------------------------------------------
05.01.2021 05:30:34 | Error      | System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\Administrator\Documents\PAS_PQS_Test\SICAMTopology\ProjectIsNotConsistant.chg'.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
   at System.IO.File.Create(String path)
   at SICAM.PASCC.Addin.Connect.SwitchToolbarIconCreateProject(Boolean bBuildIsOk)
   at SICAM.PASCC.Addin.Connect.CheckProjectIswithTopo()
   at SICAM.PASCC.Addin.Connect.ToggleTopologyOnOff()

In this example the SicamAddin.log file contains multiline events. This configuration uses the im_file module to collect file-based logs and the multiline module to read multiline log records. To parse log records, the configuration compares each record to the TRACE_REGEX regular expression. If a match occurs, new fields are created based on the named capturing groups. The strptime() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.

The log record is then converted to JSON using the to_json() procedure from the xm_json module. The drop procedure discards records that do not match the TRACE_REGEX regular expression.

nxlog.conf
# Regular expression for reading log file contents
define TRACE_REGEX      /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+.\s+\
                        (?<Type>\w+)\s+.\s+(?<Message>(?:.*\s{3,})\
                        ?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
                        ?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
                        ?(?:.*\s{3,})?.*)$/

# Path to the folder containing log file
define TRACE_PATH       C:\ProgramData\Siemens Energy\SICAM SCC\Trace

<Extension json>
    Module        xm_json
</Extension>

<Extension multiline>
    Module        xm_multiline
    HeaderLine    /^\d+.\d+.\d+.\d+.\d+.\d+/
</Extension>

<Input from_file>
    Module        im_file
    File          '%TRACE_PATH%\SicamAddin.log'
    InputType     multiline
    <Exec>
        # Matching events against the regular expression
        if $raw_event =~ %TRACE_REGEX%
        {
            # Creating the timestamp
            $EventTime = strptime($1 + $2, "%d.%m.%Y %T");
            # Converting to JSON
            to_json();
        }
        # Discarding unparsed messages
        else drop();
        # Replacing unwanted spaces
        $raw_event =~ s/\s{2,}/ /g;
    </Exec>
</Input>
Single-line event output sample in JSON
{
  "EventReceivedTime": "2021-02-26T11:27:20.828635+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "Message": "Picture 'NewPdl0.Pdl' opened",
  "Type": "Info",
  "EventTime": "2021-02-24T03:56:31.000000+02:00"
}
Multiline event output sample in JSON
{
  "EventReceivedTime": "2021-02-26T12:59:35.638543+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "Message": "System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\\Users\\Administrator\\Documents\\PAS_PQS_Test\\SICAMTopology\\ProjectIsNotConsistant.chg'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.IO.File.Create(String path) at SICAM.PASCC.Addin.Connect.SwitchToolbarIconCreateProject(Boolean bBuildIsOk) at SICAM.PASCC.Addin.Connect.CheckProjectIswithTopo() at SICAM.PASCC.Addin.Connect.ToggleTopologyOnOff()",
  "Type": "Error",
  "EventTime": "2021-01-05T05:30:34.000000+02:00"
}

SICAM Communication Connection trace log

The SICAM Communication Connection trace log is spread across several files in the C:\ProgramData\Siemens Energy\SICAM SCC\Trace folder:

  • PASChannel_System.log

  • IECChannel_System.log

  • SNMPChannel_System.log

Each log entry of this type consists of the following fields:

  • Date

  • Time

  • Type

  • TID

  • ValueID

  • Way

  • Message

Example 4. Processing Communication Connection trace log
Event sample
SCC Trace File
Date      	Time        	Type	TID	ValueID		Way	Message
25.02.2021	22:26:48.108	Error	6932	0		-	Prio-High-Queue not empty since 13172 ms - actual size: 3!

The im_file input module instance reads the log records from a file. To parse log records, the configuration compares each record to the TRACECC_REGEX regular expression. If a match occurs, new fields are created based on the named capturing groups. The strptime() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.

The log record is then converted to JSON using the to_json() procedure from the xm_json module. The drop procedure discards records that do not match the TRACECC_REGEX regular expression.

nxlog.conf
# Regular expression for reading the file contents
define TRACECC_REGEX    /(?x)^(\d+.\d+.\d+)\s+(\d+.\d+.\d+.\d+)\s+(?<Type>\w+)\
                        \s+(?<TID>\d+)\s+(?<ValueID>\d+)\s+(?<Way>.*?)\
                        \s+(?<Message>.*)/

# Path to the folder with log files
define TRACECC_PATH     C:\ProgramData\Siemens Energy\SICAM SCC\Trace

<Extension json>
    Module    xm_json
</Extension>

<Input from_file>
    Module    im_file
    File      '%TRACECC_PATH%\PASChannel_System.log'
    <Exec>
        # Matching messages against the regular expression
        if $raw_event =~ %TRACECC_REGEX%
        {
            # Creates the timestamp
            $EventTime = strptime($1 + $2, "%d.%m.%Y %T");
            # Formats the result as JSON
            to_json();
        }
        # Discarding non-matched messages
        else drop();
    </Exec>
</Input>
Output sample in JSON
{
  "EventReceivedTime": "2021-02-26T14:40:35.883374+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "Message": "Prio-High-Queue not empty since 13172 ms - actual size: 3!",
  "TID": "6932",
  "Type": "Error",
  "ValueID": "0",
  "Way": "-",
  "EventTime": "2021-02-25T22:26:48.000000+02:00"
}

Wizard logs

Log data of the SICAM Global Wizard, SICAM PAS Wizard, SICAM IEC Wizard, and the SICAM Export/Import Wizard is accumulated in the GWLog.txt and TeaxWizard.log files of the SICAM SCC project folder.

Each log entry of this type consists of the following fields:

  • Timestamp

  • Event Type

  • Process

  • Message

This example demonstrates how to configure NXLog Agent to process log data related to SICAM SCC wizards.

Example 5. Processing wizard log

A header precedes each group of messages.

Header message sample
-----------------------------------------
[Begin: Read data. ]	02.27.21 15:53:28
-----------------------------------------
Event message sample
02.27.21 15:53:28	Info	Reading data; OK: Read old SICAMCSDataStore file

To parse event entries, this configuration defines the WIZHEADER_REGEX and WIZ_REGEX regular expressions.

The im_file input module instance reads the log records from a file. The Exec block compares each event entry to the regular expressions. In case of a match, new fields are created according to the named capturing groups. Date and time values are concatenated and converted to datetime using the strptime() function. The returned value is then assigned to the $EventTime field.

The log record is then converted to JSON using the to_json() procedure from the xm_json module. In case a message does not match either expression, the drop() procedure discards it.

nxlog.conf
# Regular expressions for reading log messages and message headers
define WIZHEADER_REGEX  /(?x)^\[(?<Message>.*?)\]\s+(\d+.\d+.\d+.)\
                        (\d+.\d+.\d+)/
define WIZ_REGEX        /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+\
                        (?<Type>\w+)\s+(?<Process>.*?)\;(?<Message>.*)/

# Path to the folder with log files
define WIZ_PATH         C:\Users\Administrator\Documents\PAS_PQS_SCC

<Extension json>
    Module    xm_json
</Extension>

<Input from_file>
    Module    im_file
    File      '%WIZ_PATH%\GWLog.txt'
    <Exec>
        # Matches the event with the regular expression
        if $raw_event =~ %WIZHEADER_REGEX%
        {
            # Creates the timestamp
            $EventTime = strptime($2 + $3, "%m.%d.%y %T");
            # Formats the result as JSON
            to_json();
        }
        # Matches the event with the regular expression
        else if $raw_event =~ %WIZ_REGEX%
        {
            # Creates the timestamp
            $EventTime = strptime($1 + $2, "%m.%d.%y %T");
            # Formats the result as JSON
            to_json();
        }
        # Discard event if it doesn't match a/the regular expression
        else drop();
    </Exec>
</Input>
Output header sample in JSON
{
  "EventReceivedTime": "2021-02-28T22:32:51.583736+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "Message": "Begin: Read data. ",
  "EventTime": "2021-02-27T15:53:28.000000+02:00"
}
Output sample in JSON
{
  "EventReceivedTime": "2021-02-28T22:44:08.642436+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "Message": "OK: Read old SICAMCSDataStore file",
  "Process": "Reading data",
  "Type": "Info",
  "EventTime": "2021-02-27T15:53:28.000000+02:00"
}

Report log

The Report log combines any warnings, errors, or processing messages of SICAM SCC components and contains the following data fields:

  • Timestamp

  • Event type

  • Event message

Example 6. Processing Report log
Event sample
Report
======

Overview
--------
1/6/2021   1:18:22 AM   Info:	Begin: SICAM PAS Wizard

The im_file input module instance reads the log records from a file. To parse log records, the configuration compares each record to the RPT_REGEX regular expression. If a match occurs, new fields are created based on the named capturing groups. The parsedate() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.

The log record is then converted to JSON using the to_json() procedure from the xm_json module. The drop procedure discards records that do not match the RPT_REGEX regular expression.

nxlog.conf
# Regular expression for reading log file contents
define RPT_REGEX        /(?x)^(\d+.\d+.\d+.)\s+(\d+.\d+.\d+.\w+)\
                        \s+(?<EventType>\w+).\s+(?<Message>.*)/

# Path to the folder with log files
define RPT_PATH         C:\ProgramData\Siemens\Energy

<Extension json>
    Module    xm_json
</Extension>

<Input from_file>
    Module    im_file
    File      '%RPT_PATH%\Report.txt'

    <Exec>
        # Matches the event with the regular expression
        if $raw_event =~ %RPT_REGEX%
        {
            # Creates the timestamp
            $EventTime = parsedate($1 + $2);
            # Formats the result as JSON
            to_json();
        }
        # Discard event if it doesn't match a/the regular expression
        else drop();
    </Exec>
</Input>
Output sample in JSON
{
  "EventReceivedTime": "2021-01-07T10:47:48.707530+02:00",
  "SourceModuleName": "from_file",
  "SourceModuleType": "im_file",
  "EventType": "Info",
  "Message": "Begin: SICAM PAS Wizard",
  "EventTime": "2021-01-06T01:18:22.000000+02:00"
}

Universal configuration file

For convenience, the various configuration components discussed above are combined and provided in a single configuration file below.

nxlog.conf
# --------------------- REGULAR EXPRESSIONS FOR PARSING DATA -------------------

define TRACE_REGEX      /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+.\s+\
                        (?<Type>\w+)\s+.\s+(?<Message>(?:.*\s{3,})\
                        ?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
                        ?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
                        ?(?:.*\s{3,})?.*)$/

define TRACECC_REGEX    /(?x)^(\d+.\d+.\d+)\s+(\d+.\d+.\d+.\d+)\s+(?<Type>\w+)\
                        \s+(?<TID>\d+)\s+(?<ValueID>\d+)\s+(?<Way>.*?)\
                        \s+(?<Message>.*)/

define WIZHEADER_REGEX  /(?x)^\[(?<Message>.*?)\]\s+(\d+.\d+.\d+.)\
                        (\d+.\d+.\d+)/

define WIZ_REGEX        /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+\
                        (?<Type>\w+)\s+(?<Process>.*?)\;(?<Message>.*)/

define RPT_REGEX        /(?x)^(\d+.\d+.\d+.)\s+(\d+.\d+.\d+.\w+)\
                        \s+(?<EventType>\w+).\s+(?<Message>.*)/

# --------------------- PATHS TO LOG FILES -------------------------------------

define TRACE_PATH       C:\ProgramData\Siemens Energy\SICAM SCC\Trace

define WIZ_PATH         C:\Users\Administrator\Documents\PAS_PQS_SCC

define RPT_PATH         C:\ProgramData\Siemens\Energy

# --------------------- EXTENSION MODULES --------------------------------------

<Extension json>
    Module              xm_json
</Extension>

<Extension multiline>
    Module              xm_multiline
    HeaderLine          /^\d+.\d+.\d+.\d+.\d+.\d+/
</Extension>

# --------------------- INPUT MODULES ------------------------------------------

# To read multiple trace log files, copy the module below and specify the
# following files in the File directive:
#
# * DAFConfig.log
# * SicamAddin.log
# * SICAMRTDataServer.log
# * SICAMRTDS_DAF_PlugIn.log
# * SICAMTeaxWizard.log
# * SCD2SXD.log
# * SXD2TEAX.log

<Input from_trace>
    Module        im_file
    File          '%TRACE_PATH%\SicamAddin.log'
    InputType     multiline
    <Exec>
        # Matching events against the regular expression
        if $raw_event =~ %TRACE_REGEX%
        {
            # Creating the timestamp
            $EventTime = strptime($1 + $2, "%d.%m.%Y %T");
            # Converting to JSON
            to_json();
        }
        # Discarding unparsed messages
        else drop();
        # Replacing unwanted spaces
        $raw_event =~ s/\s{2,}/ /g;
    </Exec>
</Input>

# To read multiple communication connection files, copy the module below and
# specify the following files in the File directive:
#
# * PASChannel_System.log
# * IECChannel_System.log
# * SNMPChannel_System.log

<Input from_tracecc>
    Module        im_file
    File          '%TRACE_PATH%\PASChannel_System.log'
    <Exec>
        # Matching events against the regular expression
        if $raw_event =~ %TRACECC_REGEX%
        {
            # Creating the timestamp
            $EventTime = strptime($1 + $2, "%d.%m.%Y %T");
            # Converting to JSON
            to_json();
        }
        # Discarding unparsed messages
        else drop();
    </Exec>
</Input>

# To read multiple project log files, copy the module below and specify the
# following files in the File directive:
#
# * GWLog.txt
# * TeaxWizard.log

<Input from_wizard>
    Module        im_file
    File          '%WIZ_PATH%\GWLog.txt'
    <Exec>
        # Matching events against the regular expression
        if $raw_event =~ %WIZHEADER_REGEX%
        {
            # Creating the timestamp
            $EventTime = strptime($2 + $3, "%m.%d.%y %T");
            # Converting to JSON
            to_json();
        }
        # Matching events against the regular expression
        else if $raw_event =~ %WIZ_REGEX%
        {
            # Creating the timestamp
            $EventTime = strptime($1 + $2, "%m.%d.%y %T");
            # Converting to JSON
            to_json();
        }
        # Discarding unparsed messages
        else drop();
    </Exec>
</Input>

<Input from_report>
    Module        im_file
    File          '%RPT_PATH%\Report.txt'

    <Exec>
        # Matching events against the regular expression
        if $raw_event =~ %RPT_REGEX%
        {
            # Creating the timestamp
            $EventTime = parsedate($1 + $2);
            # Converting to JSON
            to_json();
        }
        # Discarding unparsed messages
        else drop();
    </Exec>
</Input>

# --------------------- OUTPUT MODULE ------------------------------------------

<Output to_file>
    Module        om_file
    File          'C:\output.txt'
</Output>

# --------------------- ROUTE -------------------------------------------------

<Route r1>
    Path          from_trace, from_tracecc, from_wizard, from_report => to_file
</Route>

Network monitoring

This section describes how to monitor network traffic of the following industrial protocols which SICAM SCC uses:

Each transaction over the network consists of a client request followed by a server response/acknowledgment, which is demonstrated in these sections.

Modbus TCP/IP

Communication between SICAM SCC stations and devices supporting Modbus via Ethernet is handled over the "Modbus TCP/IP" channel and the Modbus TCP/IP protocol and can be monitored by NXLog Agent as demonstrated in the following example.

Example 7. Capturing SCADA Modbus packets

This configuration uses the im_pcap module to capture Modbus traffic. The Dev directive specifies the network device or interface to capture packets on. The Protocol group directive specifies modbus as the protocol. The Exec block converts the captured messages to JSON using the to_json() procedure.

nxlog.conf
<Extension _json>
    Module      xm_json
</Extension>

<Input pcap>
    Module      im_pcap
    # Name of a network device/interface
    Dev         \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
    <Protocol>
        # Protocol type
        Type    modbus
    </Protocol>
    # Converting to JSON
    Exec        to_json();
</Input>
Modbus TCP query sample
{
  "modbus.function_code": "Read Holding Registers (03)",
  "modbus.length": "6",
  "modbus.prot_id": "0",
  "modbus.query.read_holding_regs.qty_of_regs": "3",
  "modbus.query.read_holding_regs.starting_address": "20",
  "modbus.trans_id": "3748",
  "modbus.unit_id": "1",
  "EventTime": "2021-07-28T12:52:10.113986+03:00",
  "EventReceivedTime": "2021-07-28T12:52:11.122391+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
Modbus TCP response sample
{
  "modbus.function_code": "Read Holding Registers (03)",
  "modbus.length": "9",
  "modbus.prot_id": "0",
  "modbus.response.read_holding_regs.byte_count": "6",
  "modbus.response.read_holding_regs.registers": "20977, 15277, 13109",
  "modbus.trans_id": "3748",
  "modbus.unit_id": "1",
  "EventTime": "2021-07-28T12:52:10.114694+03:00",
  "EventReceivedTime": "2021-07-28T12:52:11.122391+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}

BACnet

Building Automation and Control Network (BACnet) is a communication protocol designed for building automation and control systems. NXLog Agent can be configured to capture BACnet packets.

Example 8. Capturing SCADA BACnet packets

This configuration uses the im_pcap module to capture BACnet packets. The Dev directive specifies the network device or interface to capture packets on, and the Protocol group directive specifies the bacnet protocol. All captured packets are converted to JSON using the to_json() procedure.

nxlog.conf
<Extension _json>
    Module      xm_json
</Extension>

<Input pcap>
    Module      im_pcap
    # Name of a network device/interface
    Dev         \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
    # Protocol type
    <Protocol>
        Type    bacnet
    </Protocol>
    # Converting to JSON
    Exec        to_json();
</Input>
BACnet confirmed request sample
{
  "bacnet.apdu.bacnet_confirmed_request.invoke_id": "76",
  "bacnet.apdu.bacnet_confirmed_request.max_resp": "1476",
  "bacnet.apdu.bacnet_confirmed_request.max_segs": "Unspecified",
  "bacnet.apdu.bacnet_confirmed_request.more_segments_follow": "false",
  "bacnet.apdu.bacnet_confirmed_request.segmented": "false",
  "bacnet.apdu.bacnet_confirmed_request.segmented_accepted": "true",
  "bacnet.apdu.bacnet_confirmed_request.service_choice": "Read Property Multiple (14)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.0.object_identifier.instance_number": "2",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.0.object_identifier.type": "binary-value (5)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.1": "Opening Tag (1)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.2.0.property_identifier": "change-of-state-count (15)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.3": "Closing Tag (1)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.4.object_identifier.instance_number": "2",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.4.object_identifier.type": "binary-input (3)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.5": "Opening Tag (1)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.6.0.property_identifier": "change-of-state-count (15)",
  "bacnet.apdu.bacnet_confirmed_request.service_request.records.7": "Closing Tag (1)",
  "bacnet.apdu.pdu_type": "BACnet-Confirmed-Request-PDU (0x00)",
  "bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
  "bacnet.bvlc.length": "38",
  "bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
  "bacnet.npdu.control": "0x0024",
  "bacnet.npdu.control.contains": "BACnet APDU message (0)",
  "bacnet.npdu.control.dst_spec": "DNET, DLEN, Hop Count present (1)",
  "bacnet.npdu.control.prio": "Normal message",
  "bacnet.npdu.control.reply_expected": "Yes (1)",
  "bacnet.npdu.control.src_spec": "SNET, SLEN, SADR absent (0)",
  "bacnet.npdu.version": "0x0001",
  "EventTime": "2021-07-30T10:46:15.958079+03:00",
  "EventReceivedTime": "2021-07-30T10:46:16.403228+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
BACnet complex acknowledgement sample
{
  "bacnet.apdu.bacnet_complexack.more_segments_follow": "false",
  "bacnet.apdu.bacnet_complexack.original_invoke_id": "76",
  "bacnet.apdu.bacnet_complexack.segmented": "false",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.0.object_identifier.instance_number": "2",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.0.object_identifier.type": "binary-value (5)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.1": "Opening Tag (1)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.2.property_identifier": "change-of-state-count (15)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.0": "Opening Tag (4)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.1": "943",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.2": "Closing Tag (4)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.0.4": "Closing Tag (1)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.0.object_identifier.instance_number": "2",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.0.object_identifier.type": "binary-input (3)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.1": "Opening Tag (1)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.2.property_identifier": "change-of-state-count (15)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.0": "Opening Tag (4)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.1": "944",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.2": "Closing Tag (4)",
  "bacnet.apdu.bacnet_complexack.service_ack.records.0.1.4": "Closing Tag (1)",
  "bacnet.apdu.bacnet_complexack.service_choice": "Read Property Multiple (14)",
  "bacnet.apdu.pdu_type": "BACnet-Complex-ACK-PDU (0x03)",
  "bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
  "bacnet.bvlc.length": "46",
  "bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
  "bacnet.npdu.control": "0x0008",
  "bacnet.npdu.control.contains": "BACnet APDU message (0)",
  "bacnet.npdu.control.dst_spec": "DNET, DLEN, DADR, Hop Count absent (0)",
  "bacnet.npdu.control.prio": "Normal message",
  "bacnet.npdu.control.reply_expected": "No (0)",
  "bacnet.npdu.control.src_spec": "SNET, SLEN, SADR present (1)",
  "bacnet.npdu.version": "0x0001",
  "EventTime": "2021-07-30T10:46:16.073088+03:00",
  "EventReceivedTime": "2021-07-30T10:46:16.403228+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
BACnet unconfirmed request sample
{
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice": "Unconfirmed COV Notification (2)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.0.subscriber_process_id": "20236304",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.1.initiating_device_identifier.instance_number": "1",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.1.initiating_device_identifier.object_id": "device (8)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.2.monitored_device_identifier.instance_number": "1",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.2.monitored_device_identifier.object_id": "analog-input (0)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.3.time_remaining": "2333",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.4": "Opening Tag (4)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_identifier": "present-value (85)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.0": "Opening Tag (2)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.1": "-248000.000000",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.2": "Closing Tag (2)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_identifier": "status-flags (111)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.0": "Opening Tag (2)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.1": "in-alarm (0): false, fault (1): false, overriden (2): false, out-of-service (3): false",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.2": "Closing Tag (2)",
  "bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.6": "Closing Tag (4)",
  "bacnet.apdu.pdu_type": "BACnet-Unconfirmed-Request-PDU (0x01)",
  "bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
  "bacnet.bvlc.length": "44",
  "bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
  "bacnet.npdu.control": "0x0000",
  "bacnet.npdu.control.contains": "BACnet APDU message (0)",
  "bacnet.npdu.control.dst_spec": "DNET, DLEN, DADR, Hop Count absent (0)",
  "bacnet.npdu.control.prio": "Normal message",
  "bacnet.npdu.control.reply_expected": "No (0)",
  "bacnet.npdu.control.src_spec": "SNET, SLEN, SADR absent (0)",
  "bacnet.npdu.version": "0x0001",
  "EventTime": "2021-07-30T10:46:16.092627+03:00",
  "EventReceivedTime": "2021-07-30T10:46:16.404213+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}

DNP3

DNP3 is a protocol which enables transmission of process data via serial or IP-based networks and is mainly used in the water and energy distribution industries. Communication of DNP3 devices with SICAM SCC takes place via the OPC channel.

Example 9. Capturing SCADA DNP3 packets

The NXLog Agent configuration below uses the im_pcap module to capture network packets. The Dev directive denotes the network device or interface to capture data on, and the Protocol directive specifies dpn3 as the protocol. All captured packets are converted to JSON using the to_json() procedure of the xm_json module.

nxlog.conf
<Extension _json>
    Module      xm_json
</Extension>

<Input pcap>
    Module      im_pcap
    # Name of a network device/interface
    Dev         \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
    <Protocol>
        # Protocol type
        Type    dnp3
    </Protocol>
    # Converting to JSON
    Exec        to_json();
</Input>
DNP3 request sample
{
  "dnp3.application_layer.control.con": "0",
  "dnp3.application_layer.control.fin": "1",
  "dnp3.application_layer.control.fir": "1",
  "dnp3.application_layer.control.sequence": "7",
  "dnp3.application_layer.control.uns": "0",
  "dnp3.application_layer.function_code": "Read",
  "dnp3.application_layer.object0.count": "0",
  "dnp3.application_layer.object0.group": "60",
  "dnp3.application_layer.object0.name": "Class objects - Class 1 data",
  "dnp3.application_layer.object0.variation": "2",
  "dnp3.application_layer.object1.count": "0",
  "dnp3.application_layer.object1.group": "60",
  "dnp3.application_layer.object1.name": "Class objects - Class 2 data",
  "dnp3.application_layer.object1.variation": "3",
  "dnp3.application_layer.object2.count": "0",
  "dnp3.application_layer.object2.group": "60",
  "dnp3.application_layer.object2.name": "Class objects - Class 3 data",
  "dnp3.application_layer.object2.variation": "4",
  "dnp3.application_layer.object3.count": "0",
  "dnp3.application_layer.object3.group": "60",
  "dnp3.application_layer.object3.name": "Class objects - Class 0 data",
  "dnp3.application_layer.object3.variation": "1",
  "dnp3.data_layer.control": "0xC4",
  "dnp3.data_layer.control.dir": "1",
  "dnp3.data_layer.control.fcb": "0",
  "dnp3.data_layer.control.fcv": "0",
  "dnp3.data_layer.control.function_code": "Unconfirmed User Data",
  "dnp3.data_layer.control.prm": "1",
  "dnp3.data_layer.destination": "1",
  "dnp3.data_layer.length": "20",
  "dnp3.data_layer.source": "2",
  "dnp3.data_layer.start_bytes": "0x0564",
  "dnp3.transport.fin": "1",
  "dnp3.transport.fir": "1",
  "dnp3.transport.sequence": "23",
  "EventTime": "2021-07-29T18:19:06.927443+03:00",
  "EventReceivedTime": "2021-07-29T18:18:56.324409+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
DNP3 response sample
{
  "dnp3.application_layer.control.con": "0",
  "dnp3.application_layer.control.fin": "1",
  "dnp3.application_layer.control.fir": "1",
  "dnp3.application_layer.control.sequence": "7",
  "dnp3.application_layer.control.uns": "0",
  "dnp3.application_layer.function_code": "Response",
  "dnp3.application_layer.internal_indications.already_executing": "0",
  "dnp3.application_layer.internal_indications.broadcast": "0",
  "dnp3.application_layer.internal_indications.class1_events": "0",
  "dnp3.application_layer.internal_indications.class2_events": "0",
  "dnp3.application_layer.internal_indications.class3_events": "0",
  "dnp3.application_layer.internal_indications.config_corrupt": "0",
  "dnp3.application_layer.internal_indications.device_restart": "0",
  "dnp3.application_layer.internal_indications.device_trouble": "0",
  "dnp3.application_layer.internal_indications.events_buffer_overflow": "0",
  "dnp3.application_layer.internal_indications.local_control": "0",
  "dnp3.application_layer.internal_indications.need_time": "0",
  "dnp3.application_layer.internal_indications.no_func_code_support": "0",
  "dnp3.application_layer.internal_indications.object_unknown": "0",
  "dnp3.application_layer.internal_indications.parameter_error": "0",
  "dnp3.application_layer.internal_indications.reserved": "0 (expected 0)",
  "dnp3.application_layer.object0.count": "1",
  "dnp3.application_layer.object0.group": "1",
  "dnp3.application_layer.object0.name": "Binary Input With Flags",
  "dnp3.application_layer.object0.point0.flags": "[ONLINE, State]",
  "dnp3.application_layer.object0.variation": "2",
  "dnp3.application_layer.object1.count": "1",
  "dnp3.application_layer.object1.group": "3",
  "dnp3.application_layer.object1.name": "Dobule Bit Binary Input With Flags",
  "dnp3.application_layer.object1.point0.flags": "[ONLINE]",
  "dnp3.application_layer.object1.point0.state": "Indeterminate",
  "dnp3.application_layer.object1.variation": "2",
  "dnp3.application_layer.object2.count": "1",
  "dnp3.application_layer.object2.group": "20",
  "dnp3.application_layer.object2.name": "Counter - 32-bit with flag",
  "dnp3.application_layer.object2.point0.count": "125478",
  "dnp3.application_layer.object2.point0.flags": "[ONLINE]",
  "dnp3.application_layer.object2.variation": "1",
  "dnp3.application_layer.object3.count": "1",
  "dnp3.application_layer.object3.group": "21",
  "dnp3.application_layer.object3.name": "Frozen counter - 32-bit with flag",
  "dnp3.application_layer.object3.point0.count": "0",
  "dnp3.application_layer.object3.point0.flags": "[ONLINE]",
  "dnp3.application_layer.object3.variation": "1",
  "dnp3.application_layer.object4.count": "3",
  "dnp3.application_layer.object4.group": "30",
  "dnp3.application_layer.object4.name": "Analog input - single-precision, floating-point with flag",
  "dnp3.application_layer.object4.point0.flags": "[ONLINE]",
  "dnp3.application_layer.object4.point0.value": "56.146999",
  "dnp3.application_layer.object4.point1.flags": "[ONLINE]",
  "dnp3.application_layer.object4.point1.value": "78.253998",
  "dnp3.application_layer.object4.point2.flags": "[ONLINE]",
  "dnp3.application_layer.object4.point2.value": "478.100006",
  "dnp3.application_layer.object4.variation": "5",
  "dnp3.data_layer.control": "0x44",
  "dnp3.data_layer.control.dir": "0",
  "dnp3.data_layer.control.fcb": "0",
  "dnp3.data_layer.control.fcv": "0",
  "dnp3.data_layer.control.function_code": "Unconfirmed User Data",
  "dnp3.data_layer.control.prm": "1",
  "dnp3.data_layer.destination": "2",
  "dnp3.data_layer.length": "62",
  "dnp3.data_layer.source": "1",
  "dnp3.data_layer.start_bytes": "0x0564",
  "dnp3.transport.fin": "1",
  "dnp3.transport.fir": "1",
  "dnp3.transport.sequence": "23",
  "EventTime": "2021-07-29T18:19:07.092230+03:00",
  "EventReceivedTime": "2021-07-29T18:18:56.325955+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}

IEC 60870-5-104

IEC 60870–5‑104 is an extension of the IEC 60870-5-101 protocol combining transport, network, link, and physical layers to enable communication between control stations and substations using TCP/IP. Communication of IEC 60870-5-104 devices with SICAM SCC is carried out via SICAM IEC COMMUNICATION SUITE. NXLog Agent can be configured to monitor network traffic that uses this protocol.

Example 10. Capturing SCADA IEC 60870-5-104 packets

This configuration uses the im_pcap module. The Dev directive specifies the network device or interface to capture packets on. The Protocol group directive specifies the iec104apci and iec104asdu protocols. All captured packets are converted to JSON using the to_json() procedure.

nxlog.conf
<Extension _json>
    Module      xm_json
</Extension>

<Input pcap>
    Module      im_pcap
    # Specifies the name of a network device/interface
    Dev         \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
    # Specifies the protocol type
    <Protocol>
        Type    iec104apci
    </Protocol>
    <Protocol>
        Type    iec104asdu
    </Protocol>
    # Formats the result as JSON
    Exec        to_json();
</Input>
IEC 60870-5-104 supervisory sample
{
  "iec104.apci.receive_sequence_number": "2864",
  "iec104.apci.type": "Supervisory (S)",
  "EventTime": "2021-07-28T23:17:34.752799+03:00",
  "EventReceivedTime": "2021-07-28T23:17:35.217073+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
IEC 60870-5-104 response sample
{
  "iec104.apci.receive_sequence_number": "1",
  "iec104.apci.send_sequence_number": "2864",
  "iec104.apci.type": "Information (I)",
  "iec104.asdu.data": {
    "io": [
      {
        "ioa": 1000,
        "ie": [
          {
            "type": "NVA",
            "value": "0.880127 (28840)"
          },
          {
            "type": "QDS",
            "invalid": false,
            "not-topical": false,
            "substituted": false,
            "blocked": false,
            "overflow": false
          },
          {
            "type": "CP56Time2A",
            "milliseconds": 34781,
            "minutes": 17,
            "hours": 13,
            "day-of-week": 0,
            "day-of-month": 28,
            "month": 7,
            "year": 21
          }
        ],
        "ies": 3
      }
    ],
    "ios": 1
  },
  "iec104.asdu.dui.cause_of_transmission": "Spontaneous (3)",
  "iec104.asdu.dui.coa": "1",
  "iec104.asdu.dui.num_records": "1",
  "iec104.asdu.dui.org": "0",
  "iec104.asdu.dui.pn": "0",
  "iec104.asdu.dui.sq": "FALSE",
  "iec104.asdu.dui.test_bit": "0",
  "iec104.asdu.dui.type": "M_ME_TD_1",
  "EventTime": "2021-07-28T23:17:34.754620+03:00",
  "EventReceivedTime": "2021-07-28T23:17:35.217073+03:00",
  "SourceModuleName": "pcap",
  "SourceModuleType": "im_pcap"
}
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog Agent version 5.2.6388
SICAM SCC 9.07.03
Microsoft Windows 10

Last revision: 31 July 2021