Security Event Logging Configuration
To allow a continuous monitoring of your WinCC OA environment with external tools (e.g. What is a SIEM Tool?), a specific logging of security related events can be enabled within WinCC OA.
Activate external error handling
externErrHdl
By using the config entry [general] externErrHdl the
plug-in for external error handling can be configured. For the specific handling of
security certificates, the plug-ins SE_File and
SE_Syslog are available. These plug-ins write the security
event messages either to a file or to the error log of the operating system.
This config entry must be set to enable the external handling of security event messages!
[general]
externErrHdl = "SE_Syslog" Security Events Panel
The configuration panel for security events allows the user to define which security events should be written to the system log.
The Security Events panel is located within
Sec. Events
The Sec. Events tab of the Security Events panel allows the user to define which events should be sent to the system log. By default, all available events are written to the system log, but deselecting the corresponding check box allows you to not include the specific log message, which will then only be written to the WinCC OA log.
Within this panel, the IDs as well as the names of the events are included. Further details for each event can be found within the Security Events in WinCC OA list.
Log Handler
By activating the system log output, not only the dedicated security events but all WinCC OA log messages can be written to an external tool.
SecurityEvents_initList.json
The SecurityEvents_initList.json is a JSON file that provides security-related event messages generated by WinCC OA and currently activated for observation.
The file is located in the \data\ContinuousMonitoring subfolder of the WinCC OA installation. A derived version of this file can reside within the project folder to contain the project specific configuration of security events.
These files are a resource for configuring an interface to a SIEM tool to monitor WinCC OA-related messages effectively. The SIEM tool needs to be configured to monitor and respond to security events according to project-specific requirements.
SecurityEvents_initList.json
{
"GlobalSettings":{"Severity": "None"},
"SecurityEvents":[
{
"Name": "Start Manager",
"ID": "SE_MANAGER_START",
"EventID": "1",
"SiemensID": "401",
"SecurityLog": "TRUE"
},
{
"Name": "Stop Manager",
"ID": "SE_MANAGER_STOP",
"EventID": "2",
"SiemensID": "402",
"SecurityLog": "TRUE"
},
...
}]| Fields of a security event | Description |
|---|---|
| "Name" | Description. |
| "ID" | Short name. |
| "EventID" | The ETM key for the identification. |
| "SiemensID" | Siemens key for common use of several Siemens products |
| "SecurityLog" | Determines whether the event should be output to the SecurityLog.
TRUE = the event is output to the SecurityLog. |
Custom Security Events
To add project-specific new security events, the
SecurityEvents_initList.json can be extended with project
-specific events. For this, a new SecurityEvents_initList.json must
be created within the \data\ContinuousMonitoring folder of the
project directory, in which, similar to the file located within the version
directory, the custom events can be added.
Custom Security Event
{
"GlobalSettings":{"Severity": "None"},
"SecurityEvents":[
{
"Name": "My Custom Secuirty Event",
"ID": "SE_CUSTOM_EVENT",
"EventID": "99",
"SiemensID": "0",
"SecurityLog": "TRUE"
}]Security Events within the Code
The following examples show how to correctly trigger a security event from the code:
The necessary functions are available for Control as well as for the C++-API.
Control
errClass err = makeError("pmon" , PRIO_INFO, ERR_SYSTEM, 35);
securityEvent(err, TRUE);C++-API
const ErrClass err(ErrClass::PRIO_INFO, ErrClass::ERR_SYSTEM; ErrClass::MANAGER_STOP);
ErrHdl::securityEvent(err, true);Remote MxProxy
This chapter describes the setup of continuous monitoring on a remote machine using MxProxy as example.
- Activate the external error handler according to the project requirements. To activate the external error handler, use the config entry ../../cfg_doku/all_config_entries.html#auth__externErrHdl.
- Manually copy the json file SecurityEvents_initList.json (either from the installation or if you already changed it, from your project) to the client: <project>/data/ContinuousMonitoring.
- For changes during runtime: copy the SecurityEvents_initList.json file again and call the CTRL function reloadSecurityEventConfig() on the remote machine.
