Configuring the Syslog Service

Introduction

The syslog service is used to log events regarding cyber security. The BMENOP0300 module acts as a syslog client to synchronize security events with a remote syslog server.

The syslog service is disabled by default by the BMENOP0300 module firmware.

NOTE: The service is not available when IPsec is enabled.

Configure the syslog service in Control Expert. Select Tools → Project Settings → General → PLC diagnostics. Select the Event Logging check box to edit the following features:

Event Logging Type	Action
SYSLOG server address	Enter a valid IP address. Default: 0.0.0.0
SYSLOG server port number	Use the up/down arrows to select a value between 0 and 65535. Default: 601
SYSLOG server protocol	This field is disabled. Default: tcp

Click Apply to save your edits. Click OK to close the Project Settings window.

Syslog Service Operation

Cyber security events are logged to a minimum of 100 messages before the oldest events are over written by newer events. Cyber security events are logged even when the BMENOP0300 module is operating at maximum configuration.

The BMENOP0300 module detects the following security events:

TCP lack of connection due to Access Control list (where IEC 61850 was implemented)
Communication services were enabled/disabled via the ETH_PORT_CTRL elementary function. NOTE: If FTP is enabled in the Modicon IEC 61850 Configuration Tool, it can be disabled/enabled via ETH_PORT_CTRL.
Ethernet port link up/down events
RSTP topology change
Configuration download of communication services
Program operating mode change of communications (Run, Stop)
FTP events
Unsuccessful and successful FTP login (for firmware update)

These events are currently supported in Unity Pro 12.0:

Events Related to . . .
Security/Authorization	Changes in the System (Log Audit)
Unsuccessful connection from the configuration tool or the BMENOP0300 module (unsuccessful connection due to ACL, unsuccessful login, unsuccessful TCP connection if not logged in)	Application or configuration download from the BMENOP0300 module Application or configuration upload to the BMENOP0300 module (including online changes)
Communication parameters run time change outside of the configuration (enable/disable of communication services: FTP)	Program operating mode change (Run, Stop, Init)
Baud rate changes: port link up and down
Any topology change detected: RSTP (port role change, root change)

NOTE: Unity Pro is the former name of Control Expert for version 13.1 or earlier.

Syslog Service Diagnostics

The BMENOP0300 module provides the following diagnostics for the syslog service:

EVENT_LOG_STATUS bit in scanner DDDT
EVENT_LOG_STATUS bit is set to 1 if the event log service is operational or disabled.
EVENT_LOG_STATUS bit is set to 0 if the event log service is not operational.
LOG_SERVER_NOT_REACHABLE bit in DDDT
LOG_SERVER_NOT_REACHABLE bit is set to 1 if the syslog clients does not receive an acknowledgement of the TCP messages from the syslog server.
LOG_SERVER_NOT_REACHABLE bit is set to 0 if the syslog client does receive an acknowledgement of the TCP messages from the syslog server.

(elementary function) This is a block used in a program which performs a predefined logical function.

A function does not have any information on the internal state. Several calls to the same function using the same input parameters will return the same output values. You will find information on the graphic form of the function call in the [functional block (instance)]. Unlike a call to a function block, function calls include only an output which is not named and whose name is identical to that of the function. In FBD, each call is indicated by a unique [number] via the graphic block. This number is managed automatically and cannot be modified.

Position and configure these functions in your program to execute your application.

You can also develop other functions using the SDKC development kit.