PI Windows Event Log Interface
From SCADApedia
The Windows Event Log Interface is part of the PI IT Monitor Interfaces in OSIsoft's PI System. It will read Windows Event Logs from one or more Windows PC's and forward selected events to a PI Server. Windows Event Logs contain many security events that are useful in attack detection and post incident analysis.
The PI Windows Event Log Interface is used as part of Digital Bond's Portaledge to aggregate security events, correlate those events and detect cyber attacks.
Contents |
Windows Event Log
Window created an event logger that records numerous system events. The logging system began with Windows NT and is used in Windows 2000, XP, 2003, Vista, ... The Windows event log contains three different types of data sources: application logs, security logs, system logs. Logging must be enabled in the Windows PC, and the level and types of logging is configurable. (Note: The Bandolier Security Audit Files evaluate if the security logging settings are configured in their optimal security settings).
Additional logs are also available based on the type of system and potentially from applications that write to the Windows Event Log.
- Domain Controllers also log Directory Service and File Replication Service events
- Systems acting as DNS Service will log applicable DNS events
- SCADA and DCS application vendors can and do write security and non-security events to the Windows Event Log. This is typically done more often by control system vendors who are tightly integrated with Microsoft's Active Directory.
Each Windows Event Log record can include the following information:
- Logfile name and computer name that identify where the record came from
- Time/date the event took place
- User that caused the event. This may also be a process.
- EventID and code that indicates the event that took place
- Description of the event
- Record number: which is a unique number per PC
- Source that caused the event. This could be a program or driver name; perhaps a control system application.
- Event Type: There are five event types or severity levels - Error, Warning, Information, Audit Success and Audit Failure
- Category: this is often not used, but is available sometimes for security log events
A PC's events can be viewed using the Event Viewer (eventvwr.msc).
PI Windows Event Log Interface
The PI Windows Event Log Interface reads Event Log records from one or more PC's.
- The interface will run on most versions of Windows, but it is recommended to run on XP, Vista, or Windows 7 workstation or 2003 or 2008 Server due to potential performance issues
- The interface uses Windows Management Instrumentation (WMI) to read Event Logs from local and remote systems
- String values are truncated after the first 976 characters
- There are four parameters that measure queue performance and can be monitored
A PI point can store an entire Windows Event Log record or specific fields in the record. Individual points are defined as follows:
- Location 3 = Output Type. A value of 1 in Location 3 will provide the entire record in the point with the fields separated by the | character. Values 2 to 11 will place specific field information in the point. For example Location 3 = 4 would extract the Computer name and put this in the point. Values 15 and 16 will count the number of events per time period or averaged per second which can be useful to identify abnormal activity levels.
- Location 5 = Count and Rate. These are settings used when Location 3 = 15 or 16.
- Extended Description = Filtering parameters to restrict what information is sent to the PI server. The Logfile, Computer, EventID, Event Code, Description, Source Name and Event Type can be used to filter Windows Event Log records.
- Instrument Tag = The source of the Windows Event Log. This can be a single computer or a list of computers and should match what is sent to the Interface or filtered in the Extended Description.
PI Windows Event Log in Portaledge Attack Detection
There are a number of event types in the Windows Event Log that are useful indications of attack. Of course the most obvious events to focus on are the events in the Security Log that identify potential attacks such as:
- Login Failure events such as "Unknown user name or bad password", "Account currently disabled", or "User not allowed to login to this computer".
- User account added
- Audit policy changed
The above examples focused on Windows OS log events. Applications may also write security events to the Event Log, including some control system applications.
The PI Windows Event Log Interface for Portaledge is configured to send all parts of all security events to the PI server for processing in ACE modules.
