wincc-oa log analysis...wincc-oa log analysis scada application service - reporting 22/11/2016 1...
TRANSCRIPT
![Page 1: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/1.jpg)
WinCC-OA Log AnalysisSCADA Application Service - Reporting
22/11/2016 1
James Hamilton
![Page 2: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/2.jpg)
WinCC-OA Log Analysis
• Aim:
• Collect, parse, analyse WinCC-OA Logs
• Provide centralised access and search
abilities
• Related use case: value change and alarm
statistics from Oracle RDB
8/3/2016 2
![Page 3: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/3.jpg)
The Elastic Stack
8/3/2016 3
![Page 4: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/4.jpg)
Elasticsearch
“Elasticsearch is a distributed, open source search and analytics engine, designed for
horizontal scalability, reliability, and easy management. It combines the speed of
search with the power of analytics via a sophisticated, developer-friendly query
language covering structured, unstructured, and time-series data.”
8/3/2016 4
• CERN IT provide Elasticsearch and Kibana as a service• For our use cases IT has provided us we a cluster on the TN
• REST API
• Password protected
• HTTPS
https://www.elastic.co/products
![Page 5: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/5.jpg)
Logstash / Filebeat
8/3/2016 5
“Logstash is a flexible, open source data collection, enrichment, and transportation
pipeline. With connectors to common infrastructure for easy integration, Logstash
is designed to efficiently process a growing list of log, event, and unstructured data
sources for distribution into a variety of outputs, including Elasticsearch.”
https://www.elastic.co/products
Filebeat is a lightweight application for reading log files and forwarding to
Logstash (or directly to Elasticsearch).
![Page 6: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/6.jpg)
Kibana
8/3/2016 6
Current Time Period
Filter Bar
![Page 7: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/7.jpg)
Our Installation
8/3/2016 7
Single Machine
IT Service
![Page 8: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/8.jpg)
Our Installation - Filebeat• Installed on each server
• Updates are sent to the Logstash Shipper
• Filebeat waits for acknowledgements from the Logstash Shipper
8/3/2016 8
![Page 9: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/9.jpg)
Our Installation - Logstash Shipper
• Concatenates multi-line messages
• Outputs concatenated messages and statistics to the queue
8/3/2016 9
![Page 10: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/10.jpg)
Our Installation - Logstash Indexer
• Reads messages from the queue
• Parses the WinCC-OA logs with regexes
• Outputs parsed message to Elasticsearch and statistics to the queue
8/3/2016 10
![Page 11: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/11.jpg)
Our Installation - Logstash Monitor
• Reads statistics messages from the queue
• Reads log files from Logstash
• Outputs statistics messages to Elasticsearch
8/3/2016 11
![Page 12: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/12.jpg)
WinCC-OA Log Dashboard
8/3/2016 12
![Page 13: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/13.jpg)
Existing Log Viewer
• Standalone application with Oracle & DIM
interfaces
8/3/2016 13
![Page 14: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/14.jpg)
ELK Log Viewer
8/3/2016 14
![Page 15: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/15.jpg)
Log Viewer comparisonFeature ELK Logviewer Old Logviewer
Database Elasticsearch Oracle
Project modification
required?
No Yes (log handler dll)
Type Web application Standalone application
Save filters Feasible to implement Yes
Severity colour coding Feasible to implement Yes
8/3/2016 15
![Page 16: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/16.jpg)
Statistics
• 30 projects (on-going adoption)
• ~41 million WinCC-OA log entries in total, ~12GB total*
• ~600,000 log entries per day, ~500MB per day
8/3/2016 16
* includes 2 replicas
![Page 17: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/17.jpg)
8/3/2016 17
RDB Statistics
![Page 18: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/18.jpg)
Our Installation
8/3/2016 18
• Aim: to get high-level statistics from the
SCADA Application Service archive
![Page 19: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/19.jpg)
RDB Statistics Dashboards• Summary Statistics
• PSEN
• CIET Early Warning System
• MOON statistics
8/3/2016 19
![Page 20: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/20.jpg)
8/3/2016 20
Demo
WinCC-OA Log Dashboard ELK Log Viewer
![Page 21: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/21.jpg)
Correlations?
8/3/2016 21
![Page 22: WinCC-OA Log Analysis...WinCC-OA Log Analysis SCADA Application Service - Reporting 22/11/2016 1 James Hamilton. WinCC-OA Log Analysis • Aim: • Collect, parse, analyse WinCC-OA](https://reader036.vdocuments.site/reader036/viewer/2022062510/612d9c8a1ecc515869424c12/html5/thumbnails/22.jpg)