Introduction

The BMENUA0100 module logs events in a local diagnostic buffer, then sends a record of these events to a remote syslog server where they are stored and made available to syslog clients. To diagnose older events, you can query the syslog server event records. For current module events, you can use the module web pages to diagnose the state of the syslog service and to view specified events in the diagnostic buffer.

The local buffer operates as a circular buffer, with the most recent events overwriting and replacing the oldest events when the buffer is full.

The module stores events in volatile memory.

Logged events relate to either:

The syslog service is configurable in the web pages as part of the cybersecurity configuration and, therefore, can be active only when the module is operating in Secured mode. When the module is operating in Standard mode, the service is deactivated.

As implemented in the BMENUA0100 module, syslog is supported by IPv4 (firmware version 1.0 and higher), and IPv6 (firmware version 1.10 and higher).

NOTE: Syslog is not a natively secure protocol, but must be encapsulated within an IPSEC secure channel over the control port.

Syslog Message Structure

The syslog protocol – RFC 5424 – defines how events exchanged between the module and the remote server. The syslog message structure is set forth below:

Field

Description

PRI

Facility and severity information (description provided in following tables).

VERSION

Version of the syslog protocol specification (Version = 1 for RFC 5424.).

TIMESTAMP

Time stamp format is issued from RFC 3339 that recommends the following ISO8601 Internet date and time format: YYY-MM-DDThh:mm:ss.nnnZ

NOTE: -, T, :, . , Z are mandatory characters and they are part or the time stamp field. T and Z need to be written in uppercase. Z specifies that the time is UTC.

Time field content description:

YYY

Year
MM

Month
DD

Day
hh

Hour
mm

Month
ss

Second
nnn

Fraction of second in millisecond (0 if not available)

HOSTNAME

Identifies the machine that originally sent the syslog message: fully qualified domain name (FQDN) or source static IP address if FQDN is not supported.

APP-NAME

Identifies the application that initiates the syslog message. It contains information that allows to identify the entity that sends the message (for example, subset of commercial reference).

PROCID

Identifies the process, or entity, or component that sends the event.

Receives NILVALUE if not used.

MSGID

Identifies the type of message on which the event is related to, for example HTTP, FTP, Modbus.

Receives NILVALUE if not used.

MESSAGE TEXT

This field contains several information:

  • Issuer address: IP address of the entity that generates the log.

  • Peer ID: Peer ID if a peer is involved in the operation (for example, user name for a logging operation). Receives null if not used.

  • Peer address: Peer IP address if a peer is involved in the operation. Receives null if not used.

  • Type: Unique number to identify a message (description provided in following tables).

  • Comment: String that describes the message (description provided in following tables).

Events Related to Security/Authorization

  • Failed secure channel opening from OPC UA stack: for example, invalid certificate, expired certificate.

  • Successful user sessions (Login/Password) from OPC UA stack (successful login)

    NOTE: In case of no login (Standard mode), the log is disabled so a record of the successful connection is not created.

  • Failed user sessions (Login/Password) from OPC UA stack (failed login)

    NOTE: In case of no login (Standard mode), the log is disabled so a record of the unsuccessful connection is not created.

  • Successful HTTPS connections to or from a tool (successful login): for example, a connection to the web server or a firmware download via HTTPS.

  • Failed HTTPS login to or from a tool: for example, a failed connection to the web server or a failed firmware download via HTTPS.

  • Successful user session disconnection (on demand logout) for HTTPS.

  • Successful user session disconnection (on demand logout) for OPC UA.

  • Automatic logout: for example, an inactivity timeout for either OPC UA or HTTPS.

  • Integrity check error detected: for example, a digital signature detected error, or an integrity only (hash) detected error.

  • Create a new certificate.

  • Remove local certificates. This is accomplished by using the rotary selector switch to set the operating mode to the Security Reset position.

  • Add a new client certificate from the whitelist into the device.

  • Remove a client certificate from the whitelist into the device.

Events Related to Major Changes in the System (log audit)

  • Application or cybersecurity configuration download into the device.

  • Firmware download into the device.

  • Mismatched signature for firmware that failed to download into the device.

Syslog Web Page Diagnostics

Use the module web pages to diagnose the state of the syslog service running on the module, and to diagnose specified parts of the module’s syslog diagnostic buffer.You can also use the SERVICES_STATUS element of the module DDT to view the syslog service status.

In the Diagnostics > Event log diagnostic menu, use the following commands to view the module syslog service status:

Parameter

Description

Status

  • Operational: the module is operating in Secured mode and the syslog service is enabled.

  • Not operational: the module is operating in Secured mode but the syslog service is disabled.

Log server

  • Reachable: a connection can be established to the remote syslog server.

  • Not reachable: a connection cannot be established to the remote syslog server.

In the Diagnostics > Event log diagnostic menu, in the Diag Buffer to read field, input the part of the diagnostic buffer to read.