Upload File

scada statistics monitoring using the elastic stack (elasticsearch, logstash,...

  • Home
  • Documents
  • SCADA Statistics Monitoring Using the Elastic Stack (Elasticsearch, Logstash, Kibana)accelconf.web.cern.ch/AccelConf/icalepcs2017/posters/... · 2018-02-12 · Elasticsearch Logstash
1
James Hamilton, Brad Schofield, Manuel Gonzalez Berges, Jean-Charles Tournier Corresponding author: James Hamilton [email protected] CERN Beams Department Industrial Controls and Safety Systems Group SCADA Statistics Monitoring Using the Elastic Stack The Problem The Industrial Controls and Safety systems group at CERN, in collaboration with other groups, have developed and currently maintain around 200 controls applications that include domains such as LHC magnet protection, cryogenics and electrical network supervision systems. Millions of value changes and alarms from many devices are archived to a centralised Oracle database but it is not easy to obtain high-level statistics from such an archive. A system based on Elasticsearch, Logstash and Kibana (the Elastic Stack) has been implemented in order to provide easy access to these statistics. This system provides aggregated statistics based on the number of value changes and alarms, classified according to several criteria (e.g. time, application domain, system, device). The system can be used, for example, to detect abnormal situations and alarm misconfiguration. In addition to these statistics each application generates text-based log files which are parsed, collected and displayed using the Elastic Stack, to provide centralised access to all the application logs. Technology Elasticsearch Logstash Kibana Beats Statistics 145 applications 800,000,000 value changes per day 600,000 alarms per day 1,000,000 log entries per day 3,000,000 Elasticsearch documents per day Value Change & Alarm Statistics Application Text Logs Value Change & Alarm Dashboard Case Study: Archive Misconfiguration Conclusion The application LHC Circuit which monitors the roughly 1600 power converters for the LHC was found to have a faulty archiving setting for the reference voltages of many devices. As an analog value, the voltage reference would typically be expected to have the customary deadband filtering. However, a number of devices had been configured with ‘on change’ archiving, meaning that voltage reference values were being sent to the archive at their sampling rate of approximately 2Hz. This translated to over one hundred thousand value changes per day, which stood out very clearly in the value change statistics. For example, in the figure on the left the bar charts are split into slices for each application and it can be seen which applications have higher numbers of value changes & alarms. Thanks to the service the archive settings could be corrected for all affected devices. Industrial controls applications at CERN produce lots of data in different areas including an archive of process and system data and log files. There are many activities going on to analyse this data and get value from it. The developed service presents a high-level approach where the data is mainly viewed as aggregated statistics and correlations. Only in some cases is the actual data processed in detail. The service presented has been built on a modern state of the art set of tools - the Elastic Stack - that greatly facilitated the task. There is a huge amount of ‘noise’ in the controls application logs which provides a good candidate for anomaly detection using machine learning. It is currently difficult to find the ‘true’ errors when looking through the log and an automated method of detecting anomalies would be very helpful for the application developers. Furthermore, we believe that the combination of value & alarm statistics and application logs could lead to some interesting results to better understand the behaviour of CERN's controls applications. For example, if there are errors in the log there could be corresponding alarms. Each Elasticsearch document contains the count of value changes/alarms for that day ~500 daily SQL to obtain aggregate statistics Users won’t see live data in Kibana but aggregated data from previous days Queries are scheduled using Logstash with the logstash-input-jdbc plugin Filebeat – a lightweight application – runs on each production server Logstash shippers receive log entries and combine multiline log entries The queue holds log entries temporarily Logstash indexers read from the queue and parse the logs using regular expressions Easy to scale parsing by adding more indexers Logstash monitor reads error logs and statistics from shippers, indexers and queue TUPHA034 High number of value changes

Upload: others

Post on 29-May-2020

53 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: SCADA Statistics Monitoring Using the Elastic Stack (Elasticsearch, Logstash, Kibana)accelconf.web.cern.ch/AccelConf/icalepcs2017/posters/... · 2018-02-12 · Elasticsearch Logstash

James Hamilton, Brad Schofield, Manuel Gonzalez Berges, Jean-Charles Tournier

Corresponding author: James Hamilton [email protected]

CERN Beams DepartmentIndustrial Controls and Safety Systems Group

SCADA Statistics Monitoring Using the Elastic Stack

The Problem

The Industrial Controls and Safety systems group at CERN, in collaboration with other groups, have developed and currently maintain around 200 controls applications that include domains such as LHC magnet protection, cryogenics and electrical network supervision systems. Millions of value changes and alarms from many devices are archived to a centralised Oracle database but it is not easy to obtain high-level statistics from such an archive. A system based on Elasticsearch, Logstash and Kibana (the Elastic Stack) has been implemented in order to provide easy access to these statistics. This system provides aggregated statistics based on the number of value changes and alarms, classified according to several criteria (e.g. time, application domain, system, device). The system can be used, for example, to detect abnormal situations and alarm misconfiguration. In addition to these statistics each application generates text-based log files which are parsed, collected and displayed using the Elastic Stack, to provide centralised access to all the application logs.

Technology

Elasticsearch Logstash Kibana Beats

Statistics 145 applications 800,000,000 value changes per day 600,000 alarms per day 1,000,000 log entries per day 3,000,000 Elasticsearch documents per day

Value Change & Alarm Statistics Application Text Logs

Value Change & Alarm Dashboard Case Study: Archive Misconfiguration

Conclusion

The application LHC Circuit which monitors the roughly 1600 power converters for the LHC was found to have a faulty archiving setting for the reference voltages of many devices. As an analog value, the voltage reference would typically be expected to have the customary deadband filtering.

However, a number of devices had been configured with ‘on change’ archiving, meaning that voltage reference values were being sent to the archive at their sampling rate of approximately 2Hz. This translated to over one hundred thousand value changes per day, which stood out very clearly in the value change statistics. For example, in the figure on the left the bar charts are split into slices for each application and it can be seen which applications have higher numbers of value changes & alarms. Thanks to the service the archive settings could be corrected for all affected devices.

Industrial controls applications at CERN produce lots of data in different areas including an archive of process and system data and log files. There are many activities going on to analyse this data and get value from it. The developed service presents a high-level approach where the data is mainly viewed as aggregated statistics and correlations. Only in some cases is the actual data processed in detail. The service presented has been built on a modern state of the art set of tools - the Elastic Stack - that greatly facilitated the task.

There is a huge amount of ‘noise’ in the controls application logs which provides a good candidate for anomaly detection using machine learning. It is currently difficult to find the ‘true’ errors when looking through the log and an automated method of detecting anomalies would be very helpful for the application developers.

Furthermore, we believe that the combination of value & alarm statistics and application logs could lead to some interesting results to better understand the behaviour of CERN's controls applications. For example, if there are errors in the log there could be corresponding alarms.

Each Elasticsearch document contains the count of value changes/alarms for that day ~500 daily SQL to obtain aggregate statistics Users won’t see live data in Kibana but aggregated data from previous days Queries are scheduled using Logstash with the logstash-input-jdbc plugin

Filebeat – a lightweight application – runs on each production server Logstash shippers receive log entries and combine multiline log entries The queue holds log entries temporarily Logstash indexers read from the queue and parse the logs using regular expressions Easy to scale parsing by adding more indexers Logstash monitor reads error logs and statistics from shippers, indexers and queue

TUPHA034

High number of value changes

Using ELK-Stack (Elasticsearch, Logstash and Kibana) with BizTalk Server

How to integrate the Elasticsearch Logstash Kibana (ELK ... · How to integrate the Elasticsearch Logstash Kibana (ELK) log analytics stack into IBM Bluemix Nick Cawood IBM Cloud

From zero to hero - Easy log centralization with Logstash and Elasticsearch

Logstash, ElasticSearch, Kibana

Log Management With Logstash and Elasticsearch

Using elasticsearch, logstash and kibana to create ...gotocon.com/dl/goto-berlin-2014/GOTO_Night/logstash-kibana-intro.pdfUsing elasticsearch, logstash and kibana to create realtime

Using Logstash and Elasticsearch analytics capabilities as ... · PDF fileUsing Logstash and Elasticsearch analytics capabilities as a BI tool Paschalis Korosoglou1, Pavlos Daoglou1,

Logstash, Kibana, Elasticsearch: Im Dreiklang Performance sichtbar machen

Log analysis using Logstash,ElasticSearch and Kibana

Elasticsearch como gerenciar seus logs com logstash e kibana

Elasticsearch, Logstash & Kibana

SCADA Statistics Monitoring Using the Elastic Stack ...icalepcs2017.vrws.de/papers/tupha034.pdf · SCADA STATISTICS MONITORING USING THE Elastic Stack (Elasticsearch, Logstash, Kibana)

ELASTIC SEARCH, LOGSTASH, KIBANA & · PDF fileInstall LogSTASH Install java much like elasticsearch installation step Run the following command to import the Elasticsearch public GPG

Log analysis OpenSource con Logstash, Elasticsearch e Kibana

Wrangling Logs With Logstash and ElasticSearch Presentation

Introduction to Elasticsearch and Logstash. - KIT · PDF fileOutline 1 Introduction 2 Logstash Introduction 3 Elasticsearch Introduction 4 Conclusions Introduction Logstash ElasticsearchConclusions

Lessons Learned in Deploying the ELK Stack (Elasticsearch, Logstash, and Kibana)

Using Logstash and Elasticsearch analytics capabilities · PDF fileit.auth Outline • Technical stuff (Logstash, Elastic, Kibana, Ansible) • Motivation for monitoring Software licenses

Elk - Elasticsearch Logstash Kibana stack explained

Datenanalyse und Visualisierung mit Hilfe des ELK-Stacks ... · stash )Kibana, sondern Logstash )Elasticsearch )Kibana. 2.1.1. Logstash Das folgende Kapitel handelt von Logstash und

Using elasticsearch, logstash and kibana to create realtime

Wrangling Logs with Logstash and ElasticSearchassets.en.oreilly.com/1/event/80/Wrangling Logs with Logstash and... · Wrangling Logs with Logstash and ElasticSearch Nate Jones & David

Webinar - Centralising syslogs with the new beats, logstash and elasticsearch

Elasticsearch, Logstash, and Other Data - · PDF fileElasticsearch, Logstash, and Other Data Contents Preamble and Introduction 3 The ELK Stack 9 Elasticsearch 13 Installation and

ELASTICSEARCH | LOGSTASH | KIBANA”Elasticsearch, along with Logstash and Kibana, provides a powerful open source platform for indexing, searching and ... datadog_metrics elasticsearch

Elasticsearch, Logstash, Kibana Technical Walk-Throughfiles.meetup.com/16806932/ES-Technical-Walk-Through_ADL_201508.pdf · 3 Elasticsearch Terminology •A node is a single Elasticsearch

Network Security with...Elasticsearch, Logstash, and Kibana Stack 92 Elasticsearch 92 Logstash 92 Kibana 93 Elasticsearch Marvel and Shield 94 ELK Deployment Topology 94 Installing

Logstash + Elasticsearch + Kibana Presentation on Startit Tech Meetup

Query log analytics - using logstash, elasticsearch and kibana 28.11.2013

From Zero to Hero - Centralized Logging with Logstash & Elasticsearch

Elasticsearch with Logstash and Log management - Indico · PDF fileOutline Centralized logging. Logstash: what you can do with it. Logstash + Redis + Elasticsearch. Grok filtering

Elasticsearch Logstash and Kibana (ELK) VM for …...Elasticsearch Logstash and Kibana (ELK) VM for Hitachi Hyper Scale-Out Platform (HSP) Deployment Guide Author HDS Subject This

Data Discovery and Systems Diagnostics with Elasticsearch, Logstash and Kibana

Attack monitoring using ElasticSearch Logstash and Kibana

Logging with Elasticsearch, Logstash & Kibana