This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
1. - Demystifying SIEM: Making the business case: Read more in this section
- SIEM technology primer: SIEM platforms have improved significantly
- Unlocking the opportunity of SIEM technology
- Security information management systems aspire to real time security
- Five tips to improve a threat and vulnerability management program
- Is centralized logging worth all the effort?
Explore other sections in this guide:
Once you establish a central log repository, the next step is to introduce centralized analysis techniques. Many organizations fulfill this requirement through the use of a security incident management (SIM) device. A SIM allows you to add a degree of automation to your log analysis process. You can create rules that analyze logs, aggregated from various devices, for patterns of suspicious activity.
The main stumbling block many organizations face when deciding whether to implement centralized logging and/or SIMs is the investment of time and resources necessary to get such an implementation off the ground. Depending upon how long you decide to retain records (many organizations choose to keep them for at least a year), logs can consume massive quantities of disk space. Additionally, SIMs require a significant amount of configuration and tuning to optimize for a particular enterprise.