Introduction
SIEM is referred to as the process of grouping data from multiple sources, including databases, network security devices, operating systems and applications, for security management (Amoroso, 2012). The SIEM technology performs a myriad of operations; nevertheless, the collection functionality is the most critical. The modern SIEM technology has been linked to security information management and log management process that allows for the collection of a wide variety of logs from multiple sources.
Log Collection Process
At the root of the SIEM server is the log management platform that collects data for evaluation and storage. SIEMs gather logs and events from numerous organizational computing systems. Every device causes an event every time something happens. These events are then collected into a single repository called a database or flat log file. There are several functional components involved in the data collection process, and they include source, data, collector and protocol (Inns, 2014).
The source comprises of the computing devices; the data is referred to an event or rather an artefact detailing what happened, in which in this case, most data will be in the form of events and logs; the collector takes different forms; however, they all connect to the source either directly or indirectly to gather data; and protocol refers to how the connector communicates with the source, and this can be through API.
Log collection methods in the SIEM technology can be either agent-based or agent-less (Shivhare and Savaridassan, 2015). The agent-based method is more popular as compared to the latter. In this method, an agent data collector that is usually employed either with a vendor management or third party deployment software is installed in the source device. The agent data collector has complete access to the network system being monitored and can choose any desired technology (API, registry or WMI) required to collect the necessary data.
However, the main problem with using an agent data collector is that it has potential security issues if it suffers from local vulnerabilities that can be exploited, or if the installed agent exposes itself to the network. On the other hand, there are three agent-less methods, which involve collecting logs through direct connections to the source through the utilization of a network protocol or API call; via accessing log files straight from storage, usually in the Syslog format; and through an event streaming protocol such as Netflow, SNMP or IPFIX.
Collection of event data through direct connections to the source by utilizing a network protocol or API call entails remote code communicating over the network directly with a device. Conversely, the accessing log files directly from the storage, usually in the Syslog or event log format utilizes an agent writing code, writing to a dedicated log repository which is often a WMC or RPC. Finally, log collection through an event streaming protocol such as Netflow, SNMP or IPFIX involves receivers accepting a log file stream.
The agent-based method is more popular than the agent-less process as it can use several technologies to collect data, comprising high efficient direct API access. Furthermore, agent-based techniques can elicit corrective actions locally, even in instances where the agent is inaccessible. On the other hand, the agent-less methods can only collect log files that are made available by the remote protocol.
In conclusion, data collection in SIEM technology is a relatively simple process; however, the existence of numerous variations makes the process to be complicated. Through the use of agent-based and agent-less data collection techniques, SIEM has been able to overcome this barrier and gather the information required for security purposes.
References
Amoroso, E. G. (2012). Collection. In Cyber attacks: Protecting national infrastructure (Chapter 8). Elsevier.
Inns, J. (2014). The evolution and application of SIEM systems. Network Security, 2014(5), 16-17. Web.
Shivhare, P., & Savaridassan, P. (2015). Addressing security issues of small and medium enterprises through enhanced SIEM technology. International Journal of Science and Research, 4(4), 1241-1243.