2 Replies Latest reply on Mar 10, 2016 10:24 AM by michael_logan

    How do logs flow through the SIEM? The Journey of a syslog...


      I REALLY wish there was a diagram of this process!! wink wink



      So you have a log source that sends a log.....


      1. Log enters from specific IP that you have created a Data Source for.


      2. Data Source interprets what type of log is being sent (Cisco ASA (ASP for example)


      3. Policy dictates which path the log takes through rules?


      4. Log then hits Data Source Rules specific to its type (lets say Cisco ASA (ASP)) looking for a match (If no match move on)


      5. Now log is evaluated by ALL enabled Data Source Rules?  Again no match...


      6. Log is now sent through ASP Rules?  and if no match become unknown?



      So how does a log find a match in rules?  At which point does it get autolearned? When will it just become an unknown?

        • 1. Re: How do logs flow through the SIEM? The Journey of a syslog...

          Strongly agree. This would go a long way in helping people understand the best way to organize data sources, create effective policies, and would likely decrease the number of how-do-i support calls. Understanding the underlying operation and architecture of a product like this is important to using it properly to produce the desired outcome.


          To the examples already provided by scott3boy, I'd add that it is important to understand how the data flow is altered depending on type of data source (standalone, parent, client, child) and collection method (syslog, MEF, WMI, CIF).

          • 2. Re: How do logs flow through the SIEM? The Journey of a syslog...

            Here is the path an event takes when it reaches the ERC:


            1. Receiver Filter Rules are applied.

            2. The event passes to the parser (ASP Rules) for the specific data source type that was defined in the configuration for the IP address from which the event was received.

            3. The metadata (Data Source Rules) is added to the parsed event to further identify its content.

            4. The event is aggregated and stored in the ERC database and awaits retrieval by the ESM.


            Hope this helps.