Hello everybody, i am studying the SIEM solution, i see that the ELM is present on every Architecture but it is not clear for me if it is absolutely necessary. For example, if i do not have an explicit requirement for store raw logs, can i deploy an ESM and Receiver solution without ELM?.
English is not my native language so, i apologize in advance for any grammar error.
I believe the minimum configuration you need is an ESM and to collect logs, a Collector. The ELM is used for long term storage and is optional. Some of the benefits include long term storage, the ability to do regex or more free form searches (if you don't know the exact field to look for) and access to a copy of the original data.
Yes, you can just use ESM and REC for the deployment if ELM is not a requirement. Usually ELM is used for long term storage and mainly from a compliance perspective. If the customer has a compliance requirement like PCI-DSS, ISO 27K then ELM is a must or else it depends on the requirements.