PI Windows Event Log Interface
From SCADApedia
OSIsoft's PI Windows Event Log Interface will read Windows Events from one or more Windows PC's and can forward selected events to a PI Server. Windows Event Logs contain many security events that are useful in attack detection and post incident analysis.
Contents |
Windows Event Log
Window created an event logger that records numerous system events. The logging system began with Windows NT and is used in Windows 2000, XP, 2003 and Vista. The Windows event log contains three different types of data sources: application logs, security logs, system logs. Logging must be enabled in the Windows PC, and the level and types of logging is configurable.
Additional logs are also available based on the type of system and potentially from applications that write to the Windows Event Log.
- Domain Controllers also log Directory Service and File Replication Service events
- Systems acting as DNS Service will log applicable DNS events
- SCADA and DCS application vendors can and do write security and non-security events to the Windows Event Log. This is typically done more often by control system vendors who are tightly integrated with Microsoft's Active Directory.
Each Windows Event Log record can include the following information
- Logfile name and Computer name that identify where the record came from
- Time/date the event took place
- User that caused the event. This may also be a process.
- EventID and Code that indicates the event that took place
- Description of the event
- Record number, which is a unique number per PC
- Source that caused the event. This could be a program or driver name; perhaps a control system application.
- Event Type. There are five event types or severity levels: Error, Warning, Information, Audit Success and Audit Failure.
- Category. This is often not used, but is available sometimes for security log events.
A PC's events can be viewed using the Event Viewer (eventvwr.msc).
PI Windows Event Log Interface
The PI Windows Event Log Interface reads Event Log records from one or more PC's.
- The interface will run on most versions of Windows, but it is recommended to run on XP, 2003 Server or Vista due to some potential performance issues.
- The interface uses Windows Management Instrumentation (WMI) to read Event Logs from local and remote systems.
- String values are truncated after the first 976 characters.
- There are four parameters that measure queue performance and can be monitored.
A PI point can store an entire Windows Event Log record or specific fields in the record. Individual points are defined as follows:
- Location 3 = Output Type. A value of 1 in Location 3 will provide the entire record in the point with the fields separated by the | character. Values 2 to 11 will place specific field information in the point. For example Location 3 = 4 would extract the Computer name and put this in the point. Values 15 and 16 will count the number of events per time period or averaged per second which can be useful to identify abnormal activity levels.
- Location 5 = Count and Rate. These are settings used when Location 3 = 15 or 16.
- Extended Description = Filtering parameters to restrict what information is sent to the PI server. The Logfile, Computer, EventID, Event Code, Description, Source Name and Event Type can be used to filter Windows Event Log records.
- Instrument Tag = The source of the Windows Event Log. This can be a single computer or a list of computers and should match what is sent to the Interface or filtered in the Extended Description.
PI Windows Event Log in Portaledge Attack Detection
There are a number of event types in the Windows Event Log that are useful indications of attack. Of course the most obvious events to focus on are the events in the Security Log that identify potential attacks such as:
- Login Failure events such as "Unknown user name or bad password", "Account currently disabled", or "User not allowed to login to this computer".
- User account added
- Audit policy changed
The above examples focused on Windows OS log events. Applications may also write security events to the Event Log, including some control system applications.
The PI Windows Event Log Interface for Portaledge is configured to send all parts of all security events to the PI server for processing in ACE modules.
