SIEM or Log Management?

Welcome to 2002! Let’s discuss a timely topic … and, no, its not Y2K – that one is fortunately over.

The topic is: SIEM vs log management.

Yes, really! In 2017. This. Is. Still. A thing.

Naturally, those of you avid blog readers from 2010 will immediately remember that I touched this topic many, many times. So why dig out this dead horse?

Frankly, I got too many questions like this and finally got mad.

Short version: if you really need log management, and you bought a SIEM and you only use it as a log aggregator, you are probably not having a good time. And you overpaid. This may lead you to think along the lines of “is ELK the best SIEM for me?” without any regard to the fact that ELK is not a SIEM. You, sir, never needed a SIEM! You needed log aggregation and log search, and ELK works well for that [probably not for petabyte scale though – note that the linked post was written in 2007…].

Like so:

Furthermore, yes, even now in 2017, there is confusion about “what is a SIEM?” vs “what is a log manager?” It is entirely possible that your IT and security requirements call for log aggregation and rapid log search – and for nothing else (so you only need log management). It is just as possible that they call for a robust real-time monitoring based on correlation and analytics, lots of security dashboards, etc (so you need both SIEM and log management, as we say here, and also perhaps a UEBA).

Finally, if you are really smart, you can use ELK as a foundational set of components to build your own SIEM, like these fine folks have done. But it will involve a lot of work.

To conclude, in a Capt Obvious fashion: it is all about the requirements. As it always is :-)