Are SIEM and log management the same thing?

Like many things in the IT industry, there's a lot of market positioning and buzz tossed around regarding how the original term of SIM (Security Information Management), the subsequent marketing term SEM (Security Event Management), the newer combined term of SIEM (Security Information and Even Management) relate to the long standing process of log management.

The basics of log management aren't new. Operating systems, devices and applications all generate logs of some sort that contain system-specific events and notifications. The information in logs may vary in overall usefulness, but before one can derive much value out of them, they first need to be enabled, then transported and eventually stored. It is here that the first challenge of log management is presented: how does one gather this data from an often distributed range of systems and get it into a centralized (or at least semi-centralized) location? There are varying techniques to accomplish centralization, ranging from standardizing on the syslog mechanism and then deploying centralized syslog servers, to using commercial products to address the log acquisition, transport and storage issues. Some of the other issues in log management include working around network bottlenecks, establishing reliable event transport (such as syslog over UDP isn't exactly the most robust of models), setting requirements around encryption, and managing the raw data storage issues.

So the first steps in this process are figuring out what type of log and event information you want to gather, how to transport it, and where to store it. But that leads to another major consideration: once you have it, what do you want to do with it? It is at this point where basic log management ends and the higher-level functions associated with SIEM begins.

SIEM products typically provide many of the features required for log management but add event-reduction, alerting and real-time analysis capabilities. They provide the layer of technology that allows one to say with confidence that not only are logs being gathered but they are also being reviewed. SIEM also allows for the importation of data that isn't necessarily event-driven (such as vulnerability scanning reports) - hence the "Information" portion of SIEM.

In watching the market mature over the past 10 years we believe there is room for both traditional log management tools and the real-time analysis capabilities provided by SIEM tools, but we suspect that organizations would prefer to go to a single vendor for both. Clearly organizations have to solve the first problem (log management) in order to address the second (analysis and monitoring), but the wise purchaser will know that after the first problem is addressed the second will become immediately apparent. Plan accordingly.

< Return to main story: SIEM tools come up short >