Friday, April 30, 2010

One More Time on SIEM vs Log Management

Since people keep asking me again and again, here is another post on the subject.

40,000 ft view:

SIEM = SECURITY information and event management; the emphasis is on SECURITY. Security information is not just logs.


LM = LOG management; the emphasis is on LOGS. Logs aren’t just for security.

10,000 ft view:

(with slight risk of oversimplification)


Security Information and Event Management (SIEM)

Log Management (LM)

Log collection

Collect security relevant logs + context data

Collect all logs

Log pre-processing Parsing, normalization, categorization, enrichment Indexing, parsing or none

Log retention

Retail parsed and normalized data

Retain raw log data


Security focused reporting

Broad use reporting


Correlation, threat scoring, event prioritization

Full text analysis, tagging

Alerting and notification

Advanced security focused reporting

Simple alerting on all logs

Other features

Incident management, analyst workflow, context analysis, etc

High scalability of collection and storage

1000 ft view:

Read this paper – then ask me questions if it is not clear.


Finally, people, please STOP obsessing on “SIM vs SEM.” The 1990s are officially over [darn, even 2000s are over!] SIEM is what exists today – that and log management.

Possibly related posts:

Reblog this post [with Zemanta]

Dr Anton Chuvakin