Siemens SIMATIC S7-1500 System Manual page 46

Industrial cybersecurity
4.9 Secure operation of CPUs
Forwarding to a syslog server
From STEP 7 V19 and a CPU as of FW version V3.1, it is possible to transfer syslog messages
to a server, e.g. SINEC INS. The syslog messages are transferred to the syslog server via the
syslog protocol. The syslog server saves all syslog messages from its connected devices.
Messages of system and network events are stored centrally in a storage location in the
syslog server. At the syslog server interface, you can view the collected syslog messages and
thereby determine the source of potential security risks or problems.
Syslog messages are sent to the syslog server via port 514 (UDP) or port 6514 (TLS over TCP)
by default.
Note
If you are using UDP as the transport protocol, the data is transmitted unencrypted.
Authentication is also omitted with UDP.
Processing in a Security Information and Event Management system (SIEM system)
In order to be able to accept the incoming syslog messages, a SIEM-system must understand
the syslog protocol according to RFC 5424. Otherwise, the SIEM system cannot accept or
process the incoming messages.
The SIEM system breaks down the incoming syslog messages into individual elements. These
elements are assigned to their own event within the SIEM system. Within this event, it is
analyzed whether there are connections between the individual syslog messages. In this way,
the SIEM system detects possible attack vectors and, if necessary, informs the user, e.g. in the
event of multiple attacks at several points in the system.
44
SIMATIC Drive Controller
System Manual, 11/2023, A5E46600094-AD