The protection device offers a large set of event-logging functions. Critical system and protection device security-related events are logged to a separate nonvolatile audit trail for the administrator.
Audit trail is a chronological record of system activities that allows the reconstruction and examination of the sequence of system and security-related events and changes in the protection device. Both audit trail events and process related events can be examined and analyzed in a consistent method with the help of Event List in WHMI and Event Viewer in PCM600.
The protection device stores 2048 audit trail events to the nonvolatile audit trail. Additionally, 8192 process events are stored in a nonvolatile event list. Both the audit trail and event list work according to the FIFO principle. Nonvolatile memory is based on a memory type which does not need battery backup nor regular component change to maintain the memory storage.
Audit trail events related to user authorization (login, logout, violation remote and violation local) are defined according to the selected set of requirements from IEEE 1686. The logging is based on predefined user names or user categories. The user audit trail events are accessible with IEC 61850-8-1, PCM600 and WHMI.
Event Id | Description | Severity |
---|---|---|
1110 | Log-in successful | Event |
1130 | Log-in failed - Wrong credentials | Event |
1210 | Log-out (user logged out) | Event |
1320 | Downloaded / wrote configuration successfully | Event |
1370 | Viewed Security Event logs successfully | Alarm |
1380 | Parameter changed successfully | Event |
1420 | Download / writing configuration failed | Event |
1520 | Software updated successfully | Event |
1610 | Firmware change fail | Event |
1710 | Device reset to factory default | Event |
2110 | User account created successfully | Alarm |
2120 | User account deleted successfully | Alarm |
2180 | New role created successfully | Alarm |
2190 | Role deleted successfully | Alarm |
2210 | User password changed successfully | Event |
2220 | Change of user password failed | Event |
5110 | Firmware Reset | Alarm |
5140 | Software reset | Alarm |
5270 | System startup | Alarm |
6110 | Test Mode started successfully | Alarm |
6120 | Test Mode ended successfully | Alarm |
6130 | Control operation performed successfully | Alarm |
6220 | Time Synchronized successfully | Event |
6320 | Time Synchronization failed | Event |
8020 | Date and time set successfully | Event |
9020 | Flooding attack detected | Alarm |
13520 | Certificates transferred to the device successfully | Event |
14520 | Failed to transfer certificates to the device | Event |
PCM600 Event Viewer tool can be used to view the audit trail events and process related events. Audit trail events are visible through dedicated Security events view. Since, user with Security Management Right can read audit trail. The audit trail cannot be reset, but PCM600 Event Viewer can filter data. Audit trail events can be configured to be visible also in WHMI Event list together with process related events.
In WHMI, Audit trail events are displayed based on user rights. A user having Security Management right can view audit trail logs.