Collecting logs from Industrial Control Systems

Industrial Control Systems (ICS) is a generic term that refers to different types of control systems that operate and/or automate industrial processes. These systems consist of a combination of devices, software, and networks that together achieve an objective, such as manufacturing a product or the treatment of water.

START FREE TRIAL
30-day fully functional trial, no credit card required
ICS/SCADA Logging with NXLog

SCADA systems

SCADA (Supervisory Control and Data Acquisition) is the most significant subsystem of ICS that allows industrial organizations to:

  • control industrial processes locally or remotely
  • monitor, gather, and process real-time data
  • achieve high-performance data archiving
  • efficiently analyze process values (trends) and messages (alarm control)
  • interact with a wide range of devices using extended communication infrastructure

Industries that rely heavily on ICS include Oil and Gas, Pharmaceutical, Petrochemical, Food and Beverage, Manufacturing, Power, Recycling, Transportation, Water and Wastewater, Mining.

There are many providers of ICS solutions for various industries, some of which are Siemens, Schneider Electric, ABB, General Electric, Yokogawa, Honeywell, Emerson, and Rockwell Automation, just to name some of the larger ones.

What are the log sources?


Similar to other networked computer systems, an ICS generates a wide variety of logs. These logs provide important real-time information that can be used to determine the health and security of the system that generated them. Logs come in different formats, some are channeled through Windows Event Log, while others are saved in text files or databases. Capturing the network activity between ICS components also provides useful information on the state of the system.


Challenges in logging from ICS


In Industrial Control Systems, the standardization and formatting of logs is not as mature as in conventional computer systems. It is common for a single system or component to generate a set of logs that are stored in the same directory, but are in a completely different format. This poses a significant challenge when it comes to collect and process these logs. Yet another challenge is the widespread use of industry-specific network protocols (Modbus, PROFINET, BACNET, S7 Protocol, IEC 60870-5-104, IEC-61850, etc.) that a singe ICS might use for interacting with various devices.


How can NXLog meet these challenges?


NXLog is a versatile log collection solution capable of collecting logs from diverse sources on ICS and SCADA systems.

Collecting logs from Windows Event Log

Most ICS and SCADA systems provide logging through Windows Event Log. Each log source in Windows Event Log has a set of Event IDs associated with it. NXLog can filter and parse such logs based on Event IDs by using the im_msvistalog module, which collects logs using the native Windows Event Log API.

Collecting file-based logs

The majority of logs created by ICS and SCADA systems are text-based log files. NXLog provides the im_file module for collecting logs from files. This module has a vast number of configuration options, and together with the flexibility of the NXLog language, you can collect, parse, normalize, and forward any kind of log file created by an Industrial Control System.

With NXLog, you can also collect data from all major database systems, locally or remotely, with its im_odbc and im_dbi modules respectively. Additionally, NXLog can passively capture network traffic. The im_pcap module supports the major protocols used by ICS, such as Modbus, BACNET, S7 Protocol, IEC 60870-5-104, PROFINET, IEC-61850, DNP3, etc.

Currently supported ICS and SCADA systems

To see a detailed guide on how to collect logs from a specific ICS system, click on its logo below.

If you do not see your SCADA system here, it simply means that we have not gotten around to document it yet. However, you can still use NXLog to collect and process logs from it. If you would like to enquire about a specific SCADA system, please contact us and we would be happy to guide you.

Sending your ICS logs to their destination

This table contains links to documentation that will help you get started with sending logs from your SCADA system to your SIEM solution.

Source to collect logs from Destination to send logs to
AVEVA System PlatformIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
General Electric CIMPLICITYIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
Schneider Electric Citect SCADAIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
Schneider Electric EcoStruxure Process ExpertIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
Siemens SICAM PAS/PQSIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
Siemens Simatic PCS 7IBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic
YOKOGAWA FAST/TOOLSIBM QRadar - Splunk - Graylog - Azure Sentinel - Elastic - Google Chronicle - McAfee ESM - Micro Focus ArcSight Logger - LogPoint - Sumo Logic

If your preferred destination is not on the list, it simply means that we have not gotten around to document it yet. However, it is likely that NXLog can still send logs to it. If you would like to enquire about a specific destination, please contact us and we would be happy to guide you.
Download White Paper

Industrial Control Systems and SCADA security

DOWNLOAD

Aggregate ICS logs from multiple sources to any destination

With the highly configurable multiple input and output routing capabilities of NXLog, you can also set up a single NXLog agent to fulfill the most complex routing needs imaginable.

This highly simplified diagram of centralized logging shows that logs can be collected from different sources and forwarded to your SIEM or Log Analytics solution of choice.

Scada Diagram

Build a scalable logging infrastructure

The ultimate log collection and centralization solution

https://nxlog.co/storage/uploads/ce6fcde9-da1c-41f2-ba32-5e4ec59a8b75/download-2.png

Download and try NXLog Enterprise Edition

https://nxlog.co/storage/uploads/72108b15-3a5a-464e-a477-c9e1e2277c26/documentaion.svg

See our extended documentation and how to set up the tool

https://nxlog.co/storage/uploads/4c9a368b-7be5-4569-8344-db5fd6491c40/price-tag.svg

Getting a quote on pricing is easy