{"id":1506,"date":"2025-03-13T18:16:49","date_gmt":"2025-03-13T16:16:49","guid":{"rendered":"https:\/\/www.rocworks.at\/wordpress\/?p=1506"},"modified":"2025-03-13T18:20:16","modified_gmt":"2025-03-13T16:20:16","slug":"capturing-wincc-unified-traces-and-logs-to-elasticsearch","status":"publish","type":"post","link":"https:\/\/www.rocworks.at\/wordpress\/?p=1506","title":{"rendered":"Capturing WinCC Unified Traces to Elasticsearch"},"content":{"rendered":"\n

In industrial automation, logging and monitoring are crucial for maintaining system health and troubleshooting issues. Siemens WinCC Unified provides built-in tracing capabilities that. In this post I will show how to capture that traces to Elasticsearch to allow seamless log collection, storage, and visualization. <\/p>\n\n\n\n

Step 1: Capturing WinCC Unified Traces<\/h2>\n\n\n\n

WinCC Unified provides a trace tool that simplifies the process of collecting traces. The tool allows logs to be written to files, which can then be read by Logstash (a tool to process log files).<\/p>\n\n\n\n

In that example we will write the log files to C:\\Tools\\logstash-siemens\\logs directory.<\/p>\n\n\n\n

\"C:\\Program Files\\Siemens\\Automation\\WinCCUnified\\bin\\RTILtraceTool.exe\" -mode logger -path C:\\Tools\\logstash-siemens\\logs\n<\/code><\/code><\/pre>\n\n\n\n
Step 2: Collecting Logs with Logstash<\/h2>\n\n\n\n
Create a Logstash configuration file (e.g.,\u00a0C:\\Tools\\logstash-siemens\\logstash.conf<\/code><\/code>) with the following setup:<\/p>\n\n\n\n
input {\n  file {\n    path => \"C:\/Tools\/logstash-siemens\/logs\/*.log\"  # Use forward slashes for Windows paths\n    start_position => \"beginning\"\n    sincedb_path => \"C:\/Tools\/logstash-siemens\/sincedb\"  # Save the reading state\n    codec => plain {\n      charset => \"UTF-8\"\n    }\n  }\n}\n\nfilter {\n  # Drop empty lines\n  if [message] =~ \/^\\s*$\/ {\n    drop { }\n  }\n\n  # Add a custom field to identify the log source\n  mutate {\n    add_field => { \"Source\" => \"WinCC Unified\" }\n  }\n\n  # Use dissect to parse the log format correctly\n  dissect {\n    mapping => {\n      \"message\" => \"%{#}|%{Host}|%{System}|%{Application}|%{Subsystem}|%{Module}|%{Severity}|%{Flags}|%{Timestamp}|%{Process\/Thread}|%{Message}\"\n    }\n\t  remove_field => [\"message\"]\n  }\n\n  # Remove leading and trailing spaces\n  mutate {\n    strip => [\"#\", \"Host\", \"System\", \"Application\", \"Subsystem\", \"Module\", \"Severity\", \"Flags\", \"Timestamp\", \"Process\/Thread\"]\n  }\n\n  # Convert timestamp to @Timestamp (ensure it matches your log format)\n  date {\n    match => [\"Timestamp\", \"yyyy.MM.dd HH:mm:ss.SSS\"]\n    target => \"@timestamp\"\n    timezone => \"UTC\"\n    locale => \"en\"  # Add locale to avoid parsing issues due to different formats or locales\n  }\n}\n\noutput {\n  # stdout {\n  #   codec => json_lines\n  # }\n\n  # Elasticsearch output (uncomment to enable)\n  elasticsearch {\n     hosts => [\"http:\/\/linux0:9200\"] # Change it to your Elasticsearch host\n     index => \"wincc-traces-%{+YYYY.MM}\"\n     # user => \"elastic\"\n     # password => \"elastic\"\n  }\n}\n<\/code><\/pre>\n\n\n\n
Start Logstash to collect log files. First, download Logstash (https:\/\/www.elastic.co\/downloads\/logstash<\/a>) and extract it to C:\\Tools.<\/p>\n\n\n\n
Then, run the following command to start Logstash using the specified configuration file:<\/p>\n\n\n\n
C:\\Tools\\logstash-8.17.3\\bin\\logstash.bat -f C:\\Tools\\logstash-siemens\\logstash.conf<\/code><\/p>\n\n\n\n
Forwarding Traces from WinCC Unified Panels<\/h2>\n\n\n\n

For WinCC Unified Panels, trace forwarding can be enabled, allowing traces to be captured with the WinCC Unified trace tool on a PC. The traces will then be also be written to files on the same PC (by the tool you started at Step 1).<\/p>\n\n\n
“C:\\Program Files\\Siemens\\Automation\\WinCCUnified\\bin\\RTILtraceTool.exe” -mode receiver -host  -tcp<\/p>\n\n\n\n
Step 4: Visualizing Logs in Kibana<\/h2>\n\n\n\n
Once logs are stored in Elasticsearch, Kibana provides a powerful interface to explore and analyze them.<\/p>\n\n\n\n
    \n
  1. Open Kibana and navigate to\u00a0Stack Management > Index Patterns<\/strong>.<\/li>\n\n\n\n
  2. Create a new index pattern matching\u00a0wincc-traces-*<\/code>.<\/li>\n\n\n\n
  3. Use\u00a0Discover<\/strong>\u00a0to explore logs and apply filters.<\/li>\n\n\n\n
  4. Create dashboards and visualizations to monitor system health and performance.<\/li>\n<\/ol>\n\n\n
    \n
    \"\"<\/a><\/figure>\n<\/div>\n\n
    \n
    \"\"<\/a><\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"
    In industrial automation, logging and monitoring are crucial for maintaining system health and troubleshooting issues. Siemens WinCC Unified provides built-in tracing capabilities that. In this post I will show how to capture that traces to Elasticsearch to allow seamless log … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,33],"tags":[64],"class_list":["post-1506","post","type-post","status-publish","format-standard","hentry","category-allgemein","category-wincc-unified","tag-winccunified"],"_links":{"self":[{"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1506"}],"version-history":[{"count":6,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1506\/revisions"}],"predecessor-version":[{"id":1514,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1506\/revisions\/1514"}],"wp:attachment":[{"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rocworks.at\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}