Security Event Logging Configuration
To allow a continuous monitoring of your WinCC OA environment with external tools (e.g. What is a SIEM Tool?), a specific logging of security related events can be enabled within WinCC OA.
Activate external error handling
externErrHdl
By using the config entry [general] externErrHdl the plug-in for external error handling can be configured.
For the specific handling of security certificates, the plug-ins
SE_File
and SE_Syslog
are available. These
plug-ins write the security event messages either to a file or to the error log of
the operating system.
This config entry must be set to enable the external handling of security event messages!
[general]
externErrHdl = "SE_Syslog"
Security Events Panel
The configuration panel for security events that allows the user to define which security events should be written to the system log.
The Security Events panel is located within
Sec. Events
The Sec. Events tab of the Security Events panel allows the user to define which events should be sent to the system log. By default, all available events are written to the system log, but deselecting the corresponding check box allows you to not include the specific log message, which will then only be written to the WinCC OA log.
Within this panel, the IDs as well as the names of the events are included. Further details for each event can be found within the Security Events in WinCC OA list.
Log Handler
By activating the system log output, not only the dedicated security events but all WinCC OA log messages can be written to an external tool.
SecurityEvents_initList.json
The SecurityEvents_initList.json is a JSON file that provides security-related event messages generated by WinCC OA and currently activated for observation.
The file is located in the \data\ContinuousMonitoring subfolder of the WinCC OA installation. A derived version of this file can reside within the project folder to contain the project specific configuration of security events.
These files are a resource for configuring an interface to a SIEM tool to monitor WinCC OA-related messages effectively. The SIEM tool needs to be configured to monitor and respond to security events according to project-specific requirements.
SecurityEvents_initList.json
{
"GlobalSettings":{"Severity": "None"},
"SecurityEvents":[
{
"Name": "Start Manager",
"ID": "SE_MANAGER_START",
"EventID": "1",
"SiemensID": "401",
"SecurityLog": "TRUE"
},
{
"Name": "Stop Manager",
"ID": "SE_MANAGER_STOP",
"EventID": "2",
"SiemensID": "402",
"SecurityLog": "TRUE"
},
...
}]
Custom Security Events
To add project-specific new security events, the
SecurityEvents_initList.json
can be extended with project
-specific events. For this, a new SecurityEvents_initList.json
must
be created within the \data\ContinuousMonitoring folder of the
project directory, in which, similar to the file located within the version
directory, the custom events can be added.
Custom Security Event
{
"GlobalSettings":{"Severity": "None"},
"SecurityEvents":[
{
"Name": "My Custom Secuirty Event",
"ID": "SE_CUSTOM_EVENT",
"EventID": "99",
"SiemensID": "5000",
"SecurityLog": "TRUE"
}]
Security Events within the Code
The following examples show how to properly call a security event from within the code. code:
The necessary functions are available for Control as well as for the C++-API.
Control
errClass err = makeError("pmon" , PRIO_INFO, ERR_SYSTEM, 35);
securityEvent(err);
C++-API
const ErrClass err(ErrClass::PRIO_INFO, ErrClass::ERR_SYSTEM; ErrClass::MANAGER_STOP);
ErrHdl::securityEvent(err, true);