Security Event Logging Configuration

To allow a continuous monitoring of your WinCC OA environment with external tools (e.g. What is a SIEM Tool?), a specific logging of security related events can be enabled within WinCC OA.

Activate external error handling

externErrHdl

By using the config entry [general] externErrHdl the plug-in for external error handling can be configured. For the specific handling of security certificates, the plug-ins SE_File and SE_Syslogare available. These plug-ins write the security event messages either to a file or to the error log of the operating system.

This config entry must be set to enable the external handling of security event messages!

Tip: Using the API Manager can also be used to create your own plug-ins, which can be used to implement a system-specific solution.
[general]
externErrHdl = "SE_Syslog"

Security Events Panel

The configuration panel for security events that allows the user to define which security events should be written to the system log.

The Security Events panel is located within System Management > Diagnostic > Security Events

Sec. Events

The Sec. Events tab of the Security Events panel allows the user to define which events should be sent to the system log. By default, all available events are written to the system log, but deselecting the corresponding check box allows you to not include the specific log message, which will then only be written to the WinCC OA log.

Within this panel, the IDs as well as the names of the events are included. Further details for each event can be found within the Security Events in WinCC OA list.

Log Handler

By activating the system log output, not only the dedicated security events but all WinCC OA log messages can be written to an external tool.

SecurityEvents_initList.json

The SecurityEvents_initList.json is a JSON file that provides security-related event messages generated by WinCC OA and currently activated for observation.

The file is located in the \data\ContinuousMonitoring subfolder of the WinCC OA installation. A derived version of this file can reside within the project folder to contain the project specific configuration of security events.

These files are a resource for configuring an interface to a SIEM tool to monitor WinCC OA-related messages effectively. The SIEM tool needs to be configured to monitor and respond to security events according to project-specific requirements.

SecurityEvents_initList.json

{
  "GlobalSettings":{"Severity": "None"},
  "SecurityEvents":[
  {
    "Name": "Start Manager",
    "ID": "SE_MANAGER_START",
    "EventID": "1",
    "SiemensID": "401",
    "SecurityLog": "TRUE"
  },
  {
    "Name": "Stop Manager",
    "ID": "SE_MANAGER_STOP",
    "EventID": "2",
    "SiemensID": "402",
    "SecurityLog": "TRUE"
  },
...
}]

Custom Security Events

To add project-specific new security events, the SecurityEvents_initList.json can be extended with project -specific events. For this, a new SecurityEvents_initList.json must be created within the \data\ContinuousMonitoring folder of the project directory, in which, similar to the file located within the version directory, the custom events can be added.

Custom Security Event

{
  "GlobalSettings":{"Severity": "None"},
  "SecurityEvents":[
  {
   "Name": "My Custom Secuirty Event",
   "ID": "SE_CUSTOM_EVENT",
   "EventID": "99",
   "SiemensID": "5000",
   "SecurityLog": "TRUE"
  }]

Security Events within the Code

The following examples show how to properly call a security event from within the code. code:

The necessary functions are available for Control as well as for the C++-API.

Control

errClass err = makeError("pmon" , PRIO_INFO, ERR_SYSTEM, 35);
                
securityEvent(err);

C++-API

const ErrClass err(ErrClass::PRIO_INFO, ErrClass::ERR_SYSTEM; ErrClass::MANAGER_STOP);
                
ErrHdl::securityEvent(err, true);