SIEM data collecting

Gjorg19Gjorg19 Member Posts: 2 ■□□□□□□□□□
Hi all,

I'm fairly new in the world of cyber security and new to this forum and i could use some professional help regarding SIEM. After doing some research i've read that SIEM uses agents for log aggregation. If i'm not mistaken, is this the case for systems with an OS like computers and servers. My question is, how does SIEM collect data from network devices such as switches, routers and firewalls? How does SIEM communicate with these devices?

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    Often, SNMP and syslog are used to collect data from network devices. 
  • JDMurrayJDMurray Admin Posts: 13,099 Admin
    SIEM does not actively collect event information from devices (i.e., polling). Instead, all networked devices are configured to send their event information (e.g., syslog, NetFlow, SNMP traps, etc.) to centralized collection systems. A SIEM then reads this collected data, de-duplicates, indexes, and correlates events to create information about device and network state at specific points in time. A SIEM analyst can then run searches manually on the SIEM to find events, or have SIEM rules automatically detect specific event conditions and trigger SIEM alerts at their presence.
    Some monitoring systems, such as SNMP management stations, can actively poll devices to collect snapshots of information at the current time (i.e., reconnaissance). This information can also be stored and imported by a SIEM for processing.
  • Gjorg19Gjorg19 Member Posts: 2 ■□□□□□□□□□
    Thank you very much for clearing that up guys. I'll be doing more research regarding the implementation of SIEM.
Sign In or Register to comment.