Working with SIEMs
A significant challenge that a great many organizations have is the nature of logging on network devices. With limited space, log files are often rolled over, whereby new log files are written over older log files. The result is that, in some cases, an organization may only have a few days’, or even a few hours’, worth of important logs. If a potential incident happened several weeks ago, the incident response personnel will be without critical pieces of evidence.
One tool that has been embraced by a wide range of enterprises is a SIEM system. This appliance can aggregate log and event data from network sources and combine them into a single location. This allows the CSIRT and other security personnel to observe activity across the entire network, without having to examine individual systems.
The following diagram illustrates how a SIEM system integrates into the overall network:
Figure 12.1 – SIEM and logging architecture...