Since people keep asking me again and again, here is another post on the subject.
40,000 ft view:
SIEM = SECURITY information and event management; the emphasis is on SECURITY. Security information is not just logs.
while
LM = LOG management; the emphasis is on LOGS. Logs aren’t just for security.
10,000 ft view:
(with slight risk of oversimplification)
| Functionality | Security Information and Event Management (SIEM) | Log Management (LM) |
| Log collection | Collect security relevant logs + context data | Collect all logs |
| Log pre-processing | Parsing, normalization, categorization, enrichment | Indexing, parsing or none |
| Log retention | Retail parsed and normalized data | Retain raw log data |
| Reporting | Security focused reporting | Broad use reporting |
| Analysis | Correlation, threat scoring, event prioritization | Full text analysis, tagging |
| Alerting and notification | Advanced security focused reporting | Simple alerting on all logs |
| Other features | Incident management, analyst workflow, context analysis, etc | High scalability of collection and storage |
1000 ft view:
Read this paper – then ask me questions if it is not clear.
Finally, people, please STOP obsessing on “SIM vs SEM.” The 1990s are officially over [darn, even 2000s are over!] SIEM is what exists today – that and log management.
Possibly related posts:
- On Choosing SIEM
- The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
- Log Management / SIEM Users: "Minimalist" vs "Analyst"
- "I Want to Buy Correlation" or How NOT to Pick a SIEM?
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_uef1ww3euv_XjRwr6xvCdD9fK4Rw6ItnsmsPMzF7_NKkuhvm5tiNLNtGz5t8t5RGjebjB3Trd4-pw74dsXvZwDCg_6yZy6EZkEXTPJ15a7frbcRqFJr2nHiOjgBDBhcunDdA4JODe2-ht9mfwYYawC=s0-d)
