Siemens SICAM SCC
Siemens SICAM SCC or SICAM Station Control Center is a human-machine interface (HMI) for multiple power automation systems.
Logs in Windows Event Log
NXLog Agent can read Windows Event Log entries generated by SICAM SCC based on their Event ID and event source.
This table contains the SICAM SCC services which generate Windows Event Log data along with their display name and executable path.
| Service name | Display name | Path to executable |
|---|---|---|
CCAgent |
CCAgent |
C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCAgent.EXE |
CCArchiveManagerService |
CCArchiveManagerService |
C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCArchiveManager.EXE |
CCDBUtils |
CCDBUtils |
C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCDBUtils.EXE |
CCEClient |
CCEClient |
C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCEClient_x64.exe |
CCEServer |
CCEServer |
C:\Program Files (x86)\Common Files\Siemens\ACE\bin\CCEServer_x64.exe |
CCOPC.XMLWrapper |
CCOPC.XMLWrapper |
C:\Program Files (x86)\Siemens\WinCC\opc\XMLDataAccess\bin\DA2XML.exe |
CCOpcUaImporter |
CCOpcUaImporter |
C:\Program Files (x86)\Siemens\WinCC\OPC\UAClient\UaConfigServer\CCOpcUaImporter.exe |
CCPerfMon |
CCPerfMon |
C:\Program Files (x86)\Common Files\Siemens\bin\CCPerfMon.exe |
CCRedundancyAgent-Service |
CCRedundancyAgent-Service |
C:\Program Files (x86)\Common Files\Siemens\CommonArchiving\CCRedundancyAgent.exe |
CCRemoteService |
CCRemoteService |
C:\Program Files (x86)\Common Files\Siemens\bin\CCRemoteService.exe |
CcUaDAS |
CcUaDAS |
C:\Program Files (x86)\Siemens\WinCC\OPC\UAClient\UaDAS\CcUaDAS.exe |
NTP |
Network Time Protocol |
C:\Program Files (x86)\Common Files\Siemens\Energy\NTP\ntpdssl-sag.exe -g -c + C:\Windows\sysWOW64\drivers\etc\ntp.conf |
OpcUaServerWinCC |
OpcUaServerWinCC |
C:\Program Files (x86)\Siemens\WinCC\OPC\UAServer\OpcUaServerWinCC.exe |
RedundancyControl |
RedundancyControl |
C:\Program Files (x86)\Common Files\Siemens\ace\bin\RedundancyControl.exe |
RedundancyState |
RedundancyState |
C:\Program Files (x86)\Common Files\Siemens\ace\bin\RedundancyState.exe |
s7oiehsx64 |
S7DOS Help Service |
:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\s7oiehsx64.exe |
S7DOS SCP Remote |
S7DOS SCP Remote |
C:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\S7O.TunnelServiceHost.exe |
SCS Distribution Service |
SCS Distribution Service |
C:\Program Files (x86)\Common Files\Siemens\ACE\bin\SCSDistServiceX.exe |
SCSFsX |
SCSFsX |
C:\Program Files (x86)\Common Files\Siemens\ACE\bin\SCSFsX.exe |
SCSMonitor |
SCSMonitor |
C:\Program Files (x86)\Common Files\Siemens\ace\bin\SCSMX.exe |
SIMATIC PnDiscovery Service |
SIMATIC PnDiscovery Service |
C:\Program Files\Common Files\Siemens\Automation\Simatic OAM\bin\s7oPNDiscoveryx64.exe |
S7TraceServiceX |
SIMATIC Trace Service |
C:\Program Files\Common Files\Siemens\Automation\TraceEngine\ <br/>bin\S7TraceService64X.exe |
CCAlgIAlarmDataCollector |
SIMATIC WinCC CCAlgIAlarmDataCollector |
C:\Program Files (x86)\Siemens\WinCC\bin\CCAlgIAlarmDataCollector.exe |
CCAlgRtServe |
SIMATIC WinCC CCAlgRtServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CcAlgRtServer.exe |
CCCloudConnect |
SIMATIC WinCC CCCloudConnect |
C:\Program Files (x86)\Siemens\WinCC\bin\CCCloudConnect.exe |
CCCSigRTServer |
SIMATIC WinCC CCCSigRTServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCCSigRTServer.exe |
CCDeltaLoader |
SIMATIC WinCC CCDeltaLoader |
C:\Program Files (x86)\Siemens\WinCC\bin\CCDeltaLoader.exe |
CCLBMRTServer |
SIMATIC WinCC CCLBMRTServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCDeltaLoader.exe |
CCNSInfo2Provider |
SIMATIC WinCC CCNSInfo2Provider |
C:\Program Files (x86)\Siemens\WinCC\bin\CCNSInfo2Provider.exe |
CCPackageMgr |
SIMATIC WinCC CCPackageMgr |
C:\Program Files (x86)\Siemens\WinCC\bin\CCPackageMgr.exe |
CCProfileServer |
SIMATIC WinCC CCProfileServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCProfileServer.exe |
CCProjectMgr |
SIMATIC WinCC CCProjectMgr |
C:\Program Files (x86)\Siemens\WinCC\bin\CCProjectMgr.exe |
CCPtmRTServer |
SIMATIC WinCC CCPtmRTServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCPtmRTServer.exe |
CCSsmRTServer |
SIMATIC WinCC CCSsmRTServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCSsmRTServer.exe |
CCSystemDiagnosticsHost |
SIMATIC WinCC CCSystemDiagnosticsHost |
C:\Program Files (x86)\Siemens\WinCC\bin\CCSystemDiagnosticsHost.exe |
CCTextServer |
SIMATIC WinCC CCTextServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCTextServer.exe |
CCTlgServer |
SIMATIC WinCC CCTlgServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCTlgServer.exe |
CCTMTimeSyncServer |
SIMATIC WinCC CCTMTimeSyncServer |
C:\Program Files (x86)\Siemens\WinCC\bin\CCTMTimeSyncServer.exe |
CCUsrAcv |
SIMATIC WinCC CCUsrAcv |
C:\Program Files (x86)\Siemens\WinCC\bin\CCUsrAcv.exe |
CCRtsLoader |
SIMATIC WinCC Data Manager |
C:\Program Files (x86)\Siemens\WinCC\bin\CCRtsLoader_x64.exe |
CCLicenseService |
SIMATIC WinCC License Service |
C:\Program Files (x86)\Common Files\Siemens\bin\CCLicenseService.exe |
MSSQL$WINCC |
SQL Server (WINCC) |
C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\sqlservr.exe -sWINCC |
SQLAgent$WINCC |
SQL Server Agent (WINCC) |
C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\SQLAGENT.EXE -i WINCC |
MSOLAP$WINCC |
SQL Server Analysis Services (WINCC) |
C:\Program Files\Microsoft SQL Server\MSAS13.WINCC\OLAP\bin\msmdsrv.exe -s + C:\Program Files\Microsoft SQL Server\ <br/>MSAS13.WINCC\OLAP\Config |
SSASTELEMETRY$WINCC |
SQL Server Analysis Services CEIP (WINCC) |
C:\Program Files\Microsoft SQL Server\MSAS13.WINCC\OLAP\Bin\sqlceip.exe-Service WINCC MSAS |
SQLTELEMETRY$WINCC |
SQL Server CEIP service (WINCC) |
C:\Program Files\Microsoft SQL Server\MSSQL13.WINCC\MSSQL\Binn\sqlceip.exe-Service WINCC |
TraceConceptX |
TraceConceptX |
C:\Program Files\Common Files\Siemens\SimNetCom\TraceConceptX.exe |
TracewindowService_v4.0 |
TracewindowService_v4.0 |
C:\Program Files (x86)\Common Files\Siemens\Energy\TraceWindow\v4.0\Siemens.Energy.TracewindowService.exe |
XR_CCOPC.XMLWrapper |
XR_CCOPC.XMLWrapper |
C:\Program Files (x86)\Siemens\WinCC\opc\XMLDataAccess\bin\CCRT2XML.exe |
This table contains events that are generated by SICAM SCC and their corresponding Event IDs.
| Event ID | Source | Event text |
|---|---|---|
3 |
NTP |
<any_message> |
257 |
CCEServer |
Service started |
4132 |
S7TraceServiceX.exe |
!! Service started !! |
5084 |
MSSQL$WINCC |
Setting database option <option_name> for database '<database_name>' |
17137 |
MSSQL$WINCC |
Starting up database '<database_name>' |
This example demonstrates how to read and process Windows Event Log entries by source name.
CCRedundancyAgent-Service event sampleLog Name: Application
Source: CCRedundancyAgent-Service
Date: 2/25/2021 1:04:06 AM
Event ID: 0
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: WIN-5RU7GP5MI4V
Description:
Service started
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="CCRedundancyAgent-Service" />
<EventID Qualifiers="0">0</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-02-25T09:04:06.915209200Z" />
<EventRecordID>5952</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-5RU7GP5MI4V</Computer>
<Security />
</System>
<EventData>
<Data>Service started</Data>
</EventData>
</Event>To read Windows Event Log, this NXLog Agent configuration uses the im_msvistalog module.
The QueryXML directive of this module specifies the CCDeltaLoader, CCPackageMgr, CCAlgRtServer, and CCRedundancyAgent-Service services.
After reading event entries from these services, they are converted to JSON using the to_json() procedure of the xm_json module.
<Extension json>
Module xm_json
</Extension>
<Input from_eventlog>
Module im_msvistalog
# An XML query that reads Windows Event Logs based on SourceName
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">*
[System[Provider[@Name='CCDeltaLoader' or
@Name='CCPackageMgr' or
@Name='CCAlgRtServer' or
@Name='CCRedundancyAgent-Service']]]
</Select>
</Query>
</QueryList>
</QueryXML>
# Converting to JSON
Exec to_json();
</Input>{
"EventTime": "2021-02-25T11:04:06.915209+02:00",
"Hostname": "WIN-5RU7GP5MI4V",
"Keywords": "36028797018963968",
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 0,
"SourceName": "CCRedundancyAgent-Service",
"TaskValue": 0,
"RecordNumber": 5952,
"ExecutionProcessID": 0,
"ExecutionThreadID": 0,
"Channel": "Application",
"Message": "Service started",
"Category": "%1",
"Opcode": "Info",
"Data": "Service started",
"EventReceivedTime": "2021-02-25T11:04:07.164382+02:00",
"SourceModuleName": "from_eventlog",
"SourceModuleType": "im_msvistalog"
}This is a Windows Event Log sample with Event ID 17137 (Starting up database '<database_name>').
Log Name: Application
Source: MSSQL$WINCC
Date: 2/25/2021 12:08:20 AM
Event ID: 17137
Task Category: Server
Level: Information
Keywords: Classic
User: SYSTEM
Computer: WIN-5RU7GP5MI4V
Description:
Starting up database 'CC_PAS_PQS__21_01_06_01_20_07'.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQL$WINCC" />
<EventID Qualifiers="16384">17137</EventID>
<Level>4</Level>
<Task>2</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-02-25T08:08:20.931018000Z" />
<EventRecordID>5933</EventRecordID>
<Channel>Application</Channel>
<Computer>WIN-5RU7GP5MI4V</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>CC_PAS_PQS__21_01_06_01_20_07</Data>
<Binary>F14200000A00000016000000570049004E002D0035005200550037004700500035004D004900340056005C00570049004E00430043000000070000006D00610073007400650072000000</Binary>
</EventData>
</Event>To read and process Windows Event Log, this NXLog Agent configuration uses the im_msvistalog module. The Event IDs are specified within the QueryXML directive. Finally, the Exec directive calls the to_json() procedure of the xm_json module to generate the output in JSON.
<Extension json>
Module xm_json
</Extension>
<Input from_eventlog>
Module im_msvistalog
# XML query for filtering by the Event ID values
<QueryXML>
<QueryList>
<Query Id="0" Path="Application">
<Select Path="Application">
*[System[(EventID=0 or EventID=3 or
EventID=257 or EventID=4132 or
EventID=5084 or EventID=17137)]]
</Select>
</Query>
</QueryList>
</QueryXML>
# Converting to JSON
Exec to_json();
</Input>{
"EventTime": "2021-02-25T00:08:20.931018-08:00",
"Hostname": "WIN-5RU7GP5MI4V",
"Keywords": "36028797018963968",
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 17137,
"SourceName": "MSSQL$WINCC",
"TaskValue": 2,
"RecordNumber": 5933,
"ExecutionProcessID": 0,
"ExecutionThreadID": 0,
"Channel": "Application",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-5-18",
"AccountType": "User",
"Message": "Starting up database 'CC_PAS_PQS__21_01_06_01_20_07'.",
"Category": "Server",
"Data": "CC_PAS_PQS__21_01_06_01_20_07",
"EventData.Binary": "F14200000A00000016000000570049004E002D0035005200550037004700500035004D004900340056005C00570049004E00430043000000070000006D00610073007400650072000000",
"EventReceivedTime": "2021-02-25T00:08:21.743511-08:00",
"SourceModuleName": "from_eventlog",
"SourceModuleType": "im_msvistalog"
}File-based logs
This table lists the various types of file-based logs that SICAM SCC generates.
| Log name | File ext. | Location | Details |
|---|---|---|---|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\DAFConfig.log |
Dynamic Alarm Filter Configuration trace logs. These logs created by the Dynamic Alarm Filter function which is operated via the SICAM Dynamic Alarm Filter Configurator |
|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\PASChannel_System.log |
The SICAM PAS Protocol Suite, SICAM IEC Communication Suite, and SICAM SNMP Suite configuration logs |
|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SicamAddin.log |
The WinCC Graphics Designer Add-in log for SICAM PAS. This add-in enables graphic object parameterization |
|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SICAMRTDataServer.log |
The SICAM SCC Runtime Data Server component processes all process data of the SICAM SCC project |
|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SICAMTeaxWizard.log |
The SICAM Import / Export Wizard allows importing TEA-X export files from SICAM PAS / PQS or SITIPE |
|
.log |
C:\ProgramData\Siemens Energy\SICAM SCC\Trace\SCD2SXD.log |
- |
|
SICAM Global Wizard log |
.txt |
<SICAM_SCC_project_folder>\GWLog.txt |
The SICAM Global Wizard, SICAM PAS Wizard and SICAM IEC Wizard messages are recorded and overwritten in the |
.log |
<SICAM_SCC_project_folder>\TeaxWizard.log |
Project-related Import\Export Wizard log |
|
.txt |
C:\ProgramData\Siemens\Energy\Report.txt |
Any warnings or error messages displayed in the Report window |
The following section displays examples to process individual files from the table above, however, NXLog Agent can be configured to process all file-based logs using a universal configuration.
Trace logs
SICAM SCC trace logs can be found in several files located in the C:\ProgramData\Siemens Energy\SICAM SCC\Trace folder, such as:
-
DAFConfig.log -
SicamAddin.log -
SICAMRTDataServer.log -
SICAMRTDS_DAF_PlugIn.log -
SICAMTeaxWizard.log -
SCD2SXD.log -
SXD2TEAX.log
Event entries from these files can be processed using a single NXLog Agent configuration.
Processing of the Communication Connection trace log is explained in a separate example.
Each log entry of this type consists of the following fields:
-
Date
-
Time
-
Type
-
Message
Messages in the SicamAddin.log file are either in a single-line or a multiline form.
Date Time | Type | Message
-----------------------------------------------------
24.02.2021 03:56:31 | Info | Picture 'NewPdl0.Pdl' openedDate Time | Type | Message
-----------------------------------------------------
05.01.2021 05:30:34 | Error | System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\Administrator\Documents\PAS_PQS_Test\SICAMTopology\ProjectIsNotConsistant.chg'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize)
at System.IO.File.Create(String path)
at SICAM.PASCC.Addin.Connect.SwitchToolbarIconCreateProject(Boolean bBuildIsOk)
at SICAM.PASCC.Addin.Connect.CheckProjectIswithTopo()
at SICAM.PASCC.Addin.Connect.ToggleTopologyOnOff()In this example the SicamAddin.log file contains multiline events.
This configuration uses the im_file module to collect file-based logs and the multiline module to read multiline log records.
To parse log records, the configuration compares each record to the TRACE_REGEX regular expression.
If a match occurs, new fields are created based on the named capturing groups.
The strptime() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.
The log record is then converted to JSON using the to_json() procedure from the xm_json module.
The drop procedure discards records that do not match the TRACE_REGEX regular expression.
# Regular expression for reading log file contents
define TRACE_REGEX /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+.\s+\
(?<Type>\w+)\s+.\s+(?<Message>(?:.*\s{3,})\
?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
?(?:.*\s{3,})?.*)$/
# Path to the folder containing log file
define TRACE_PATH C:\ProgramData\Siemens Energy\SICAM SCC\Trace
<Extension json>
Module xm_json
</Extension>
<Extension multiline>
Module xm_multiline
HeaderLine /^\d+.\d+.\d+.\d+.\d+.\d+/
</Extension>
<Input from_file>
Module im_file
File '%TRACE_PATH%\SicamAddin.log'
InputType multiline
<Exec>
# Matching events against the regular expression
if $raw_event =~ %TRACE_REGEX%
{
# Creating the timestamp
$EventTime = strptime($1 + $2, "%d.%m.%Y %T");
# Converting to JSON
to_json();
}
# Discarding unparsed messages
else drop();
# Replacing unwanted spaces
$raw_event =~ s/\s{2,}/ /g;
</Exec>
</Input>{
"EventReceivedTime": "2021-02-26T11:27:20.828635+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"Message": "Picture 'NewPdl0.Pdl' opened",
"Type": "Info",
"EventTime": "2021-02-24T03:56:31.000000+02:00"
}{
"EventReceivedTime": "2021-02-26T12:59:35.638543+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"Message": "System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\\Users\\Administrator\\Documents\\PAS_PQS_Test\\SICAMTopology\\ProjectIsNotConsistant.chg'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize) at System.IO.File.Create(String path) at SICAM.PASCC.Addin.Connect.SwitchToolbarIconCreateProject(Boolean bBuildIsOk) at SICAM.PASCC.Addin.Connect.CheckProjectIswithTopo() at SICAM.PASCC.Addin.Connect.ToggleTopologyOnOff()",
"Type": "Error",
"EventTime": "2021-01-05T05:30:34.000000+02:00"
}SICAM Communication Connection trace log
The SICAM Communication Connection trace log is spread across several files in the C:\ProgramData\Siemens Energy\SICAM SCC\Trace folder:
-
PASChannel_System.log -
IECChannel_System.log -
SNMPChannel_System.log
Each log entry of this type consists of the following fields:
-
Date
-
Time
-
Type
-
TID
-
ValueID
-
Way
-
Message
SCC Trace File
Date Time Type TID ValueID Way Message
25.02.2021 22:26:48.108 Error 6932 0 - Prio-High-Queue not empty since 13172 ms - actual size: 3!The im_file input module instance reads the log records from a file.
To parse log records, the configuration compares each record to the TRACECC_REGEX regular expression.
If a match occurs, new fields are created based on the named capturing groups.
The strptime() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.
The log record is then converted to JSON using the to_json() procedure from the xm_json module.
The drop procedure discards records that do not match the TRACECC_REGEX regular expression.
# Regular expression for reading the file contents
define TRACECC_REGEX /(?x)^(\d+.\d+.\d+)\s+(\d+.\d+.\d+.\d+)\s+(?<Type>\w+)\
\s+(?<TID>\d+)\s+(?<ValueID>\d+)\s+(?<Way>.*?)\
\s+(?<Message>.*)/
# Path to the folder with log files
define TRACECC_PATH C:\ProgramData\Siemens Energy\SICAM SCC\Trace
<Extension json>
Module xm_json
</Extension>
<Input from_file>
Module im_file
File '%TRACECC_PATH%\PASChannel_System.log'
<Exec>
# Matching messages against the regular expression
if $raw_event =~ %TRACECC_REGEX%
{
# Creates the timestamp
$EventTime = strptime($1 + $2, "%d.%m.%Y %T");
# Formats the result as JSON
to_json();
}
# Discarding non-matched messages
else drop();
</Exec>
</Input>{
"EventReceivedTime": "2021-02-26T14:40:35.883374+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"Message": "Prio-High-Queue not empty since 13172 ms - actual size: 3!",
"TID": "6932",
"Type": "Error",
"ValueID": "0",
"Way": "-",
"EventTime": "2021-02-25T22:26:48.000000+02:00"
}Wizard logs
Log data of the SICAM Global Wizard, SICAM PAS Wizard, SICAM IEC Wizard, and the SICAM Export/Import Wizard is accumulated in the GWLog.txt and TeaxWizard.log files of the SICAM SCC project folder.
Each log entry of this type consists of the following fields:
-
Timestamp
-
Event Type
-
Process
-
Message
This example demonstrates how to configure NXLog Agent to process log data related to SICAM SCC wizards.
A header precedes each group of messages.
-----------------------------------------
[Begin: Read data. ] 02.27.21 15:53:28
-----------------------------------------02.27.21 15:53:28 Info Reading data; OK: Read old SICAMCSDataStore fileTo parse event entries, this configuration defines the WIZHEADER_REGEX and WIZ_REGEX regular expressions.
The im_file input module instance reads the log records from a file.
The Exec block compares each event entry to the regular expressions.
In case of a match, new fields are created according to the named capturing groups.
Date and time values are concatenated and converted to datetime using the strptime() function.
The returned value is then assigned to the $EventTime field.
The log record is then converted to JSON using the to_json() procedure from the xm_json module. In case a message does not match either expression, the drop() procedure discards it.
# Regular expressions for reading log messages and message headers
define WIZHEADER_REGEX /(?x)^\[(?<Message>.*?)\]\s+(\d+.\d+.\d+.)\
(\d+.\d+.\d+)/
define WIZ_REGEX /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+\
(?<Type>\w+)\s+(?<Process>.*?)\;(?<Message>.*)/
# Path to the folder with log files
define WIZ_PATH C:\Users\Administrator\Documents\PAS_PQS_SCC
<Extension json>
Module xm_json
</Extension>
<Input from_file>
Module im_file
File '%WIZ_PATH%\GWLog.txt'
<Exec>
# Matches the event with the regular expression
if $raw_event =~ %WIZHEADER_REGEX%
{
# Creates the timestamp
$EventTime = strptime($2 + $3, "%m.%d.%y %T");
# Formats the result as JSON
to_json();
}
# Matches the event with the regular expression
else if $raw_event =~ %WIZ_REGEX%
{
# Creates the timestamp
$EventTime = strptime($1 + $2, "%m.%d.%y %T");
# Formats the result as JSON
to_json();
}
# Discard event if it doesn't match a/the regular expression
else drop();
</Exec>
</Input>{
"EventReceivedTime": "2021-02-28T22:32:51.583736+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"Message": "Begin: Read data. ",
"EventTime": "2021-02-27T15:53:28.000000+02:00"
}{
"EventReceivedTime": "2021-02-28T22:44:08.642436+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"Message": "OK: Read old SICAMCSDataStore file",
"Process": "Reading data",
"Type": "Info",
"EventTime": "2021-02-27T15:53:28.000000+02:00"
}Report log
The Report log combines any warnings, errors, or processing messages of SICAM SCC components and contains the following data fields:
-
Timestamp
-
Event type
-
Event message
Report
======
Overview
--------
1/6/2021 1:18:22 AM Info: Begin: SICAM PAS WizardThe im_file input module instance reads the log records from a file.
To parse log records, the configuration compares each record to the RPT_REGEX regular expression.
If a match occurs, new fields are created based on the named capturing groups.
The parsedate() function is called to convert the captured timestamp to a datetime value that it assigns to the $EventTime field.
The log record is then converted to JSON using the to_json() procedure from the xm_json module.
The drop procedure discards records that do not match the RPT_REGEX regular expression.
# Regular expression for reading log file contents
define RPT_REGEX /(?x)^(\d+.\d+.\d+.)\s+(\d+.\d+.\d+.\w+)\
\s+(?<EventType>\w+).\s+(?<Message>.*)/
# Path to the folder with log files
define RPT_PATH C:\ProgramData\Siemens\Energy
<Extension json>
Module xm_json
</Extension>
<Input from_file>
Module im_file
File '%RPT_PATH%\Report.txt'
<Exec>
# Matches the event with the regular expression
if $raw_event =~ %RPT_REGEX%
{
# Creates the timestamp
$EventTime = parsedate($1 + $2);
# Formats the result as JSON
to_json();
}
# Discard event if it doesn't match a/the regular expression
else drop();
</Exec>
</Input>{
"EventReceivedTime": "2021-01-07T10:47:48.707530+02:00",
"SourceModuleName": "from_file",
"SourceModuleType": "im_file",
"EventType": "Info",
"Message": "Begin: SICAM PAS Wizard",
"EventTime": "2021-01-06T01:18:22.000000+02:00"
}Universal configuration file
For convenience, the various configuration components discussed above are combined and provided in a single configuration file below.
# --------------------- REGULAR EXPRESSIONS FOR PARSING DATA -------------------
define TRACE_REGEX /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+.\s+\
(?<Type>\w+)\s+.\s+(?<Message>(?:.*\s{3,})\
?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
?(?:.*\s{3,})?(?:.*\s{3,})?(?:.*\s{3,})\
?(?:.*\s{3,})?.*)$/
define TRACECC_REGEX /(?x)^(\d+.\d+.\d+)\s+(\d+.\d+.\d+.\d+)\s+(?<Type>\w+)\
\s+(?<TID>\d+)\s+(?<ValueID>\d+)\s+(?<Way>.*?)\
\s+(?<Message>.*)/
define WIZHEADER_REGEX /(?x)^\[(?<Message>.*?)\]\s+(\d+.\d+.\d+.)\
(\d+.\d+.\d+)/
define WIZ_REGEX /(?x)^(\d+.\d+.\d+.)(\d+.\d+.\d+)\s+\
(?<Type>\w+)\s+(?<Process>.*?)\;(?<Message>.*)/
define RPT_REGEX /(?x)^(\d+.\d+.\d+.)\s+(\d+.\d+.\d+.\w+)\
\s+(?<EventType>\w+).\s+(?<Message>.*)/
# --------------------- PATHS TO LOG FILES -------------------------------------
define TRACE_PATH C:\ProgramData\Siemens Energy\SICAM SCC\Trace
define WIZ_PATH C:\Users\Administrator\Documents\PAS_PQS_SCC
define RPT_PATH C:\ProgramData\Siemens\Energy
# --------------------- EXTENSION MODULES --------------------------------------
<Extension json>
Module xm_json
</Extension>
<Extension multiline>
Module xm_multiline
HeaderLine /^\d+.\d+.\d+.\d+.\d+.\d+/
</Extension>
# --------------------- INPUT MODULES ------------------------------------------
# To read multiple trace log files, copy the module below and specify the
# following files in the File directive:
#
# * DAFConfig.log
# * SicamAddin.log
# * SICAMRTDataServer.log
# * SICAMRTDS_DAF_PlugIn.log
# * SICAMTeaxWizard.log
# * SCD2SXD.log
# * SXD2TEAX.log
<Input from_trace>
Module im_file
File '%TRACE_PATH%\SicamAddin.log'
InputType multiline
<Exec>
# Matching events against the regular expression
if $raw_event =~ %TRACE_REGEX%
{
# Creating the timestamp
$EventTime = strptime($1 + $2, "%d.%m.%Y %T");
# Converting to JSON
to_json();
}
# Discarding unparsed messages
else drop();
# Replacing unwanted spaces
$raw_event =~ s/\s{2,}/ /g;
</Exec>
</Input>
# To read multiple communication connection files, copy the module below and
# specify the following files in the File directive:
#
# * PASChannel_System.log
# * IECChannel_System.log
# * SNMPChannel_System.log
<Input from_tracecc>
Module im_file
File '%TRACE_PATH%\PASChannel_System.log'
<Exec>
# Matching events against the regular expression
if $raw_event =~ %TRACECC_REGEX%
{
# Creating the timestamp
$EventTime = strptime($1 + $2, "%d.%m.%Y %T");
# Converting to JSON
to_json();
}
# Discarding unparsed messages
else drop();
</Exec>
</Input>
# To read multiple project log files, copy the module below and specify the
# following files in the File directive:
#
# * GWLog.txt
# * TeaxWizard.log
<Input from_wizard>
Module im_file
File '%WIZ_PATH%\GWLog.txt'
<Exec>
# Matching events against the regular expression
if $raw_event =~ %WIZHEADER_REGEX%
{
# Creating the timestamp
$EventTime = strptime($2 + $3, "%m.%d.%y %T");
# Converting to JSON
to_json();
}
# Matching events against the regular expression
else if $raw_event =~ %WIZ_REGEX%
{
# Creating the timestamp
$EventTime = strptime($1 + $2, "%m.%d.%y %T");
# Converting to JSON
to_json();
}
# Discarding unparsed messages
else drop();
</Exec>
</Input>
<Input from_report>
Module im_file
File '%RPT_PATH%\Report.txt'
<Exec>
# Matching events against the regular expression
if $raw_event =~ %RPT_REGEX%
{
# Creating the timestamp
$EventTime = parsedate($1 + $2);
# Converting to JSON
to_json();
}
# Discarding unparsed messages
else drop();
</Exec>
</Input>
# --------------------- OUTPUT MODULE ------------------------------------------
<Output to_file>
Module om_file
File 'C:\output.txt'
</Output>
# --------------------- ROUTE -------------------------------------------------
<Route r1>
Path from_trace, from_tracecc, from_wizard, from_report => to_file
</Route>Network monitoring
This section describes how to monitor network traffic of the following industrial protocols which SICAM SCC uses:
Each transaction over the network consists of a client request followed by a server response/acknowledgment, which is demonstrated in these sections.
Modbus TCP/IP
Communication between SICAM SCC stations and devices supporting Modbus via Ethernet is handled over the "Modbus TCP/IP" channel and the Modbus TCP/IP protocol and can be monitored by NXLog Agent as demonstrated in the following example.
This configuration uses the im_pcap module to capture Modbus traffic.
The Dev directive specifies the network device or interface to capture packets on.
The Protocol group directive specifies modbus as the protocol.
The Exec block converts the captured messages to JSON using the to_json() procedure.
<Extension _json>
Module xm_json
</Extension>
<Input pcap>
Module im_pcap
# Name of a network device/interface
Dev \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
<Protocol>
# Protocol type
Type modbus
</Protocol>
# Converting to JSON
Exec to_json();
</Input>{
"modbus.function_code": "Read Holding Registers (03)",
"modbus.length": "6",
"modbus.prot_id": "0",
"modbus.query.read_holding_regs.qty_of_regs": "3",
"modbus.query.read_holding_regs.starting_address": "20",
"modbus.trans_id": "3748",
"modbus.unit_id": "1",
"EventTime": "2021-07-28T12:52:10.113986+03:00",
"EventReceivedTime": "2021-07-28T12:52:11.122391+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}{
"modbus.function_code": "Read Holding Registers (03)",
"modbus.length": "9",
"modbus.prot_id": "0",
"modbus.response.read_holding_regs.byte_count": "6",
"modbus.response.read_holding_regs.registers": "20977, 15277, 13109",
"modbus.trans_id": "3748",
"modbus.unit_id": "1",
"EventTime": "2021-07-28T12:52:10.114694+03:00",
"EventReceivedTime": "2021-07-28T12:52:11.122391+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}BACnet
Building Automation and Control Network (BACnet) is a communication protocol designed for building automation and control systems. NXLog Agent can be configured to capture BACnet packets.
This configuration uses the im_pcap module to capture BACnet packets.
The Dev directive specifies the network device or interface to capture packets on, and the Protocol group directive specifies the bacnet protocol.
All captured packets are converted to JSON using the to_json() procedure.
<Extension _json>
Module xm_json
</Extension>
<Input pcap>
Module im_pcap
# Name of a network device/interface
Dev \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
# Protocol type
<Protocol>
Type bacnet
</Protocol>
# Converting to JSON
Exec to_json();
</Input>{
"bacnet.apdu.bacnet_confirmed_request.invoke_id": "76",
"bacnet.apdu.bacnet_confirmed_request.max_resp": "1476",
"bacnet.apdu.bacnet_confirmed_request.max_segs": "Unspecified",
"bacnet.apdu.bacnet_confirmed_request.more_segments_follow": "false",
"bacnet.apdu.bacnet_confirmed_request.segmented": "false",
"bacnet.apdu.bacnet_confirmed_request.segmented_accepted": "true",
"bacnet.apdu.bacnet_confirmed_request.service_choice": "Read Property Multiple (14)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.0.object_identifier.instance_number": "2",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.0.object_identifier.type": "binary-value (5)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.1": "Opening Tag (1)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.2.0.property_identifier": "change-of-state-count (15)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.3": "Closing Tag (1)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.4.object_identifier.instance_number": "2",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.4.object_identifier.type": "binary-input (3)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.5": "Opening Tag (1)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.6.0.property_identifier": "change-of-state-count (15)",
"bacnet.apdu.bacnet_confirmed_request.service_request.records.7": "Closing Tag (1)",
"bacnet.apdu.pdu_type": "BACnet-Confirmed-Request-PDU (0x00)",
"bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
"bacnet.bvlc.length": "38",
"bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
"bacnet.npdu.control": "0x0024",
"bacnet.npdu.control.contains": "BACnet APDU message (0)",
"bacnet.npdu.control.dst_spec": "DNET, DLEN, Hop Count present (1)",
"bacnet.npdu.control.prio": "Normal message",
"bacnet.npdu.control.reply_expected": "Yes (1)",
"bacnet.npdu.control.src_spec": "SNET, SLEN, SADR absent (0)",
"bacnet.npdu.version": "0x0001",
"EventTime": "2021-07-30T10:46:15.958079+03:00",
"EventReceivedTime": "2021-07-30T10:46:16.403228+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}{
"bacnet.apdu.bacnet_complexack.more_segments_follow": "false",
"bacnet.apdu.bacnet_complexack.original_invoke_id": "76",
"bacnet.apdu.bacnet_complexack.segmented": "false",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.0.object_identifier.instance_number": "2",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.0.object_identifier.type": "binary-value (5)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.1": "Opening Tag (1)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.2.property_identifier": "change-of-state-count (15)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.0": "Opening Tag (4)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.1": "943",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.3.records.2": "Closing Tag (4)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.0.4": "Closing Tag (1)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.0.object_identifier.instance_number": "2",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.0.object_identifier.type": "binary-input (3)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.1": "Opening Tag (1)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.2.property_identifier": "change-of-state-count (15)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.0": "Opening Tag (4)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.1": "944",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.3.records.2": "Closing Tag (4)",
"bacnet.apdu.bacnet_complexack.service_ack.records.0.1.4": "Closing Tag (1)",
"bacnet.apdu.bacnet_complexack.service_choice": "Read Property Multiple (14)",
"bacnet.apdu.pdu_type": "BACnet-Complex-ACK-PDU (0x03)",
"bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
"bacnet.bvlc.length": "46",
"bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
"bacnet.npdu.control": "0x0008",
"bacnet.npdu.control.contains": "BACnet APDU message (0)",
"bacnet.npdu.control.dst_spec": "DNET, DLEN, DADR, Hop Count absent (0)",
"bacnet.npdu.control.prio": "Normal message",
"bacnet.npdu.control.reply_expected": "No (0)",
"bacnet.npdu.control.src_spec": "SNET, SLEN, SADR present (1)",
"bacnet.npdu.version": "0x0001",
"EventTime": "2021-07-30T10:46:16.073088+03:00",
"EventReceivedTime": "2021-07-30T10:46:16.403228+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}{
"bacnet.apdu.bacnet_unconfirmed_request.service_choice": "Unconfirmed COV Notification (2)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.0.subscriber_process_id": "20236304",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.1.initiating_device_identifier.instance_number": "1",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.1.initiating_device_identifier.object_id": "device (8)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.2.monitored_device_identifier.instance_number": "1",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.2.monitored_device_identifier.object_id": "analog-input (0)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.3.time_remaining": "2333",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.4": "Opening Tag (4)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_identifier": "present-value (85)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.0": "Opening Tag (2)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.1": "-248000.000000",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.0.property_value.records.2": "Closing Tag (2)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_identifier": "status-flags (111)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.0": "Opening Tag (2)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.1": "in-alarm (0): false, fault (1): false, overriden (2): false, out-of-service (3): false",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.5.1.property_value.records.2": "Closing Tag (2)",
"bacnet.apdu.bacnet_unconfirmed_request.service_choice.records.6": "Closing Tag (4)",
"bacnet.apdu.pdu_type": "BACnet-Unconfirmed-Request-PDU (0x01)",
"bacnet.bvlc.function": "Original-Unicast-NPDU (0x0A)",
"bacnet.bvlc.length": "44",
"bacnet.bvlc.type": "BACnet/IP (Annex J) (0x81)",
"bacnet.npdu.control": "0x0000",
"bacnet.npdu.control.contains": "BACnet APDU message (0)",
"bacnet.npdu.control.dst_spec": "DNET, DLEN, DADR, Hop Count absent (0)",
"bacnet.npdu.control.prio": "Normal message",
"bacnet.npdu.control.reply_expected": "No (0)",
"bacnet.npdu.control.src_spec": "SNET, SLEN, SADR absent (0)",
"bacnet.npdu.version": "0x0001",
"EventTime": "2021-07-30T10:46:16.092627+03:00",
"EventReceivedTime": "2021-07-30T10:46:16.404213+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}DNP3
DNP3 is a protocol which enables transmission of process data via serial or IP-based networks and is mainly used in the water and energy distribution industries. Communication of DNP3 devices with SICAM SCC takes place via the OPC channel.
The NXLog Agent configuration below uses the im_pcap module to capture network packets.
The Dev directive denotes the network device or interface to capture data on, and the Protocol directive specifies dpn3 as the protocol.
All captured packets are converted to JSON using the to_json() procedure of the xm_json module.
<Extension _json>
Module xm_json
</Extension>
<Input pcap>
Module im_pcap
# Name of a network device/interface
Dev \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
<Protocol>
# Protocol type
Type dnp3
</Protocol>
# Converting to JSON
Exec to_json();
</Input>{
"dnp3.application_layer.control.con": "0",
"dnp3.application_layer.control.fin": "1",
"dnp3.application_layer.control.fir": "1",
"dnp3.application_layer.control.sequence": "7",
"dnp3.application_layer.control.uns": "0",
"dnp3.application_layer.function_code": "Read",
"dnp3.application_layer.object0.count": "0",
"dnp3.application_layer.object0.group": "60",
"dnp3.application_layer.object0.name": "Class objects - Class 1 data",
"dnp3.application_layer.object0.variation": "2",
"dnp3.application_layer.object1.count": "0",
"dnp3.application_layer.object1.group": "60",
"dnp3.application_layer.object1.name": "Class objects - Class 2 data",
"dnp3.application_layer.object1.variation": "3",
"dnp3.application_layer.object2.count": "0",
"dnp3.application_layer.object2.group": "60",
"dnp3.application_layer.object2.name": "Class objects - Class 3 data",
"dnp3.application_layer.object2.variation": "4",
"dnp3.application_layer.object3.count": "0",
"dnp3.application_layer.object3.group": "60",
"dnp3.application_layer.object3.name": "Class objects - Class 0 data",
"dnp3.application_layer.object3.variation": "1",
"dnp3.data_layer.control": "0xC4",
"dnp3.data_layer.control.dir": "1",
"dnp3.data_layer.control.fcb": "0",
"dnp3.data_layer.control.fcv": "0",
"dnp3.data_layer.control.function_code": "Unconfirmed User Data",
"dnp3.data_layer.control.prm": "1",
"dnp3.data_layer.destination": "1",
"dnp3.data_layer.length": "20",
"dnp3.data_layer.source": "2",
"dnp3.data_layer.start_bytes": "0x0564",
"dnp3.transport.fin": "1",
"dnp3.transport.fir": "1",
"dnp3.transport.sequence": "23",
"EventTime": "2021-07-29T18:19:06.927443+03:00",
"EventReceivedTime": "2021-07-29T18:18:56.324409+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}{
"dnp3.application_layer.control.con": "0",
"dnp3.application_layer.control.fin": "1",
"dnp3.application_layer.control.fir": "1",
"dnp3.application_layer.control.sequence": "7",
"dnp3.application_layer.control.uns": "0",
"dnp3.application_layer.function_code": "Response",
"dnp3.application_layer.internal_indications.already_executing": "0",
"dnp3.application_layer.internal_indications.broadcast": "0",
"dnp3.application_layer.internal_indications.class1_events": "0",
"dnp3.application_layer.internal_indications.class2_events": "0",
"dnp3.application_layer.internal_indications.class3_events": "0",
"dnp3.application_layer.internal_indications.config_corrupt": "0",
"dnp3.application_layer.internal_indications.device_restart": "0",
"dnp3.application_layer.internal_indications.device_trouble": "0",
"dnp3.application_layer.internal_indications.events_buffer_overflow": "0",
"dnp3.application_layer.internal_indications.local_control": "0",
"dnp3.application_layer.internal_indications.need_time": "0",
"dnp3.application_layer.internal_indications.no_func_code_support": "0",
"dnp3.application_layer.internal_indications.object_unknown": "0",
"dnp3.application_layer.internal_indications.parameter_error": "0",
"dnp3.application_layer.internal_indications.reserved": "0 (expected 0)",
"dnp3.application_layer.object0.count": "1",
"dnp3.application_layer.object0.group": "1",
"dnp3.application_layer.object0.name": "Binary Input With Flags",
"dnp3.application_layer.object0.point0.flags": "[ONLINE, State]",
"dnp3.application_layer.object0.variation": "2",
"dnp3.application_layer.object1.count": "1",
"dnp3.application_layer.object1.group": "3",
"dnp3.application_layer.object1.name": "Dobule Bit Binary Input With Flags",
"dnp3.application_layer.object1.point0.flags": "[ONLINE]",
"dnp3.application_layer.object1.point0.state": "Indeterminate",
"dnp3.application_layer.object1.variation": "2",
"dnp3.application_layer.object2.count": "1",
"dnp3.application_layer.object2.group": "20",
"dnp3.application_layer.object2.name": "Counter - 32-bit with flag",
"dnp3.application_layer.object2.point0.count": "125478",
"dnp3.application_layer.object2.point0.flags": "[ONLINE]",
"dnp3.application_layer.object2.variation": "1",
"dnp3.application_layer.object3.count": "1",
"dnp3.application_layer.object3.group": "21",
"dnp3.application_layer.object3.name": "Frozen counter - 32-bit with flag",
"dnp3.application_layer.object3.point0.count": "0",
"dnp3.application_layer.object3.point0.flags": "[ONLINE]",
"dnp3.application_layer.object3.variation": "1",
"dnp3.application_layer.object4.count": "3",
"dnp3.application_layer.object4.group": "30",
"dnp3.application_layer.object4.name": "Analog input - single-precision, floating-point with flag",
"dnp3.application_layer.object4.point0.flags": "[ONLINE]",
"dnp3.application_layer.object4.point0.value": "56.146999",
"dnp3.application_layer.object4.point1.flags": "[ONLINE]",
"dnp3.application_layer.object4.point1.value": "78.253998",
"dnp3.application_layer.object4.point2.flags": "[ONLINE]",
"dnp3.application_layer.object4.point2.value": "478.100006",
"dnp3.application_layer.object4.variation": "5",
"dnp3.data_layer.control": "0x44",
"dnp3.data_layer.control.dir": "0",
"dnp3.data_layer.control.fcb": "0",
"dnp3.data_layer.control.fcv": "0",
"dnp3.data_layer.control.function_code": "Unconfirmed User Data",
"dnp3.data_layer.control.prm": "1",
"dnp3.data_layer.destination": "2",
"dnp3.data_layer.length": "62",
"dnp3.data_layer.source": "1",
"dnp3.data_layer.start_bytes": "0x0564",
"dnp3.transport.fin": "1",
"dnp3.transport.fir": "1",
"dnp3.transport.sequence": "23",
"EventTime": "2021-07-29T18:19:07.092230+03:00",
"EventReceivedTime": "2021-07-29T18:18:56.325955+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}IEC 60870-5-104
IEC 60870–5‑104 is an extension of the IEC 60870-5-101 protocol combining transport, network, link, and physical layers to enable communication between control stations and substations using TCP/IP. Communication of IEC 60870-5-104 devices with SICAM SCC is carried out via SICAM IEC COMMUNICATION SUITE. NXLog Agent can be configured to monitor network traffic that uses this protocol.
This configuration uses the im_pcap module.
The Dev directive specifies the network device or interface to capture packets on.
The Protocol group directive specifies the iec104apci and iec104asdu protocols.
All captured packets are converted to JSON using the to_json() procedure.
<Extension _json>
Module xm_json
</Extension>
<Input pcap>
Module im_pcap
# Specifies the name of a network device/interface
Dev \Device\NPF_{159289BE-CE80-47DB-A659-2F8BF277C9C6}
# Specifies the protocol type
<Protocol>
Type iec104apci
</Protocol>
<Protocol>
Type iec104asdu
</Protocol>
# Formats the result as JSON
Exec to_json();
</Input>{
"iec104.apci.receive_sequence_number": "2864",
"iec104.apci.type": "Supervisory (S)",
"EventTime": "2021-07-28T23:17:34.752799+03:00",
"EventReceivedTime": "2021-07-28T23:17:35.217073+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}{
"iec104.apci.receive_sequence_number": "1",
"iec104.apci.send_sequence_number": "2864",
"iec104.apci.type": "Information (I)",
"iec104.asdu.data": {
"io": [
{
"ioa": 1000,
"ie": [
{
"type": "NVA",
"value": "0.880127 (28840)"
},
{
"type": "QDS",
"invalid": false,
"not-topical": false,
"substituted": false,
"blocked": false,
"overflow": false
},
{
"type": "CP56Time2A",
"milliseconds": 34781,
"minutes": 17,
"hours": 13,
"day-of-week": 0,
"day-of-month": 28,
"month": 7,
"year": 21
}
],
"ies": 3
}
],
"ios": 1
},
"iec104.asdu.dui.cause_of_transmission": "Spontaneous (3)",
"iec104.asdu.dui.coa": "1",
"iec104.asdu.dui.num_records": "1",
"iec104.asdu.dui.org": "0",
"iec104.asdu.dui.pn": "0",
"iec104.asdu.dui.sq": "FALSE",
"iec104.asdu.dui.test_bit": "0",
"iec104.asdu.dui.type": "M_ME_TD_1",
"EventTime": "2021-07-28T23:17:34.754620+03:00",
"EventReceivedTime": "2021-07-28T23:17:35.217073+03:00",
"SourceModuleName": "pcap",
"SourceModuleType": "im_pcap"
}