SIEM data collecting

Gjorg19 · March 2021

Hi all,

I'm fairly new in the world of cyber security and new to this forum and i could use some professional help regarding SIEM. After doing some research i've read that SIEM uses agents for log aggregation. If i'm not mistaken, is this the case for systems with an OS like computers and servers. My question is, how does SIEM collect data from network devices such as switches, routers and firewalls? How does SIEM communicate with these devices?

SteveLavoie · March 2021

Often, SNMP and syslog are used to collect data from network devices.

JDMurray · March 2021

SIEM does not actively collect event information from devices (i.e., polling). Instead, all networked devices are configured to send their event information (e.g., syslog, NetFlow, SNMP traps, etc.) to centralized collection systems. A SIEM then reads this collected data, de-duplicates, indexes, and correlates events to create information about device and network state at specific points in time. A SIEM analyst can then run searches manually on the SIEM to find events, or have SIEM rules automatically detect specific event conditions and trigger SIEM alerts at their presence.

Some monitoring systems, such as SNMP management stations, can actively poll devices to collect snapshots of information at the current time (i.e., reconnaissance). This information can also be stored and imported by a SIEM for processing.

Gjorg19 · March 2021

Thank you very much for clearing that up guys. I'll be doing more research regarding the implementation of SIEM.

SIEM data collecting

Comments