cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

How do logs flow through the SIEM? The Journey of a syslog...

I REALLY wish there was a diagram of this process!! wink wink

So you have a log source that sends a log.....

1. Log enters from specific IP that you have created a Data Source for.

2. Data Source interprets what type of log is being sent (Cisco ASA (ASP for example)

3. Policy dictates which path the log takes through rules?

4. Log then hits Data Source Rules specific to its type (lets say Cisco ASA (ASP)) looking for a match (If no match move on)

5. Now log is evaluated by ALL enabled Data Source Rules?  Again no match...

6. Log is now sent through ASP Rules?  and if no match become unknown?

So how does a log find a match in rules?  At which point does it get autolearned? When will it just become an unknown?

2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: How do logs flow through the SIEM? The Journey of a syslog...

Strongly agree. This would go a long way in helping people understand the best way to organize data sources, create effective policies, and would likely decrease the number of how-do-i support calls. Understanding the underlying operation and architecture of a product like this is important to using it properly to produce the desired outcome.

To the examples already provided by scott3boy, I'd add that it is important to understand how the data flow is altered depending on type of data source (standalone, parent, client, child) and collection method (syslog, MEF, WMI, CIF).

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: How do logs flow through the SIEM? The Journey of a syslog...

Here is the path an event takes when it reaches the ERC:

1. Receiver Filter Rules are applied.

2. The event passes to the parser (ASP Rules) for the specific data source type that was defined in the configuration for the IP address from which the event was received.

3. The metadata (Data Source Rules) is added to the parsed event to further identify its content.

4. The event is aggregated and stored in the ERC database and awaits retrieval by the ESM.

Hope this helps.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community