What do you mean by compiled in the SIEM?
Do you mean Stored or Aggregated?
What I meant of compiled was: how does the event log store, aggregate, etc. the whole process, and what would the output format be?!!
It will be a long discussion but let's start with some high level explanations for receiver and ELM.
ESM is a long story so it will be better if you have more specific questions.
First reading the following document is a must:
Let's start from the receiver functions:
1. Central point for data acquisition using different methods.
2. Parsing and Normalization of raw logs.
3.Aggregation(grouping the logs based on group of fields or customizable)
4.Correlation of event data(no flows, risk based and deviations).
5.Submits event data to ESM for analysis.
6.Keeps copy of the Raw logs so they can be stored on the ELM.
1.Storage Manager(creates connections to your storage devices).
2.Raw Log storage.
3.Insures the Integrity of the raw log data and guaranties tha it wasn't modified.
4.Manages retention policies for raw log data.
5. Enhanced ELM Search.
During the different phases the data is stored in different databases or flat files.
For example on the ELM all raw logs are stored in flat files, where on the ESM they are stored in Database.
Let me know if you have more specific questions related to some of the functionalities
Many thanks Alexander for your prompt answer. and for the great articles.
I have another question about the needed protocols and ports to be granted for the SIEM solution, please.
I have not found any answer in the installation and basic configuration article.
Many Thanks Alexander. appreciated