• Log Collection is the heart and soul of a SIEM – the more log sources that
send logs to the SIEM, the more that can be accomplished with the SIEM.
• Logs on their own rarely contain the information needed to understand their
contents within the context of your business.
• Security Analysts have limited bandwidth to be familiar with every last system
that your IT operation depends on.
• With only the logs, all an analyst sees is “Connection from Host A to Host B”
• Yet, to the administrator of that system, this becomes “Daily Activity Transfer
from Point of Sales to Accounts Receivable”.
• The Analyst needs this information to make a reasoned assessment of any
security alert involving this connection.
• The true value of logs is in correlation to getting actionable information.
Log Records Cover:
- Normal activity
- Error conditions
- Configuration changes
- Policy changes
- User access to assets
- Incident alerts
- Unauthorized use of resources
- Non-privileged access to files
- User behavior patterns
- Clearing of sensitive data
- Access to audit trails
Logs provide feedback on the status of IT resources and all activity going through them.
How logs reach the SIEM?
Logs are fetched to the SIEM in two different ways. Agent-based & Non-Agent based. In the agent-based approach, a log pushing agent is installed in the client machine from which the logs are collected.
Then this agent is configured to forward logs into the solution. In the latter type, the client system sends logs on its own using a service like Syslog or Windows Event Collector service, etc.
There are also specific applications & devices which can be integrated through a series of vendor-specific procedures.