Security Information Events Manager
Software designed to manage security data inputs and provide reporting and alerting.
The core function of SIEM tools are to collect and correlate data from network sensors and appliance/host/app logs, from:
- Windows hosts
- Linux hosts
- Network switches, routers, firewalls
- IDS sensors
- packet sniffers
- vulnerability scanners
- malware scanners
- DLP systems
Types of Data Collection
Agent-based: Install an agent service on each host that needs to be monitored. The host system itself filters, aggregates, and normalized the relevant data and sends it over to the SIEM server for analysis and storage. RAM usage spans from 50-500mb, depending on the amount of collecting and the general activity of the host system.
Listener/Collectors: Hosts are configured to push log changes to the SIEM server. Like agent-based, a background process monitors selected log files and syncs them to the SIEM server, using some variant of Syslog.
Sensors: The SIEM might collect packet captures and traffic flow data from sniffers. A sniffer can record network data using either a switch's mirror port functionality or some tap on the network media.
Alerting
After data has been mined acquired, the SIEM can implement alerting, reporting, or archiving the activities of the monitored systems. This requires correlation rules, which is a fancy term for boolean expressions that is used only in the context of SIEM.