Collection Methods in a SIEM


SIEM is referred to as the process of grouping data from multiple sources, including databases, network security devices, operating systems and applications, for security management (Amoroso, 2012). The SIEM technology performs a myriad of operations; nevertheless, the collection functionality is the most critical. The modern SIEM technology has been linked to security information management and log management process that allows for the collection of a wide variety of logs from multiple sources.

We will write a
custom essay
specifically for you

for only $16.05 $11/page
308 certified writers online
Learn More

Log Collection Process

At the root of the SIEM server is the log management platform that collects data for evaluation and storage. SIEMs gather logs and events from numerous organizational computing systems. Every device causes an event every time something happens. These events are then collected into a single repository called a database or flat log file. There are several functional components involved in the data collection process, and they include source, data, collector and protocol (Inns, 2014).

The source comprises of the computing devices; the data is referred to an event or rather an artefact detailing what happened, in which in this case, most data will be in the form of events and logs; the collector takes different forms; however, they all connect to the source either directly or indirectly to gather data; and protocol refers to how the connector communicates with the source, and this can be through API.

Log collection methods in the SIEM technology can be either agent-based or agent-less (Shivhare and Savaridassan, 2015). The agent-based method is more popular as compared to the latter. In this method, an agent data collector that is usually employed either with a vendor management or third party deployment software is installed in the source device. The agent data collector has complete access to the network system being monitored and can choose any desired technology (API, registry or WMI) required to collect the necessary data.

However, the main problem with using an agent data collector is that it has potential security issues if it suffers from local vulnerabilities that can be exploited, or if the installed agent exposes itself to the network. On the other hand, there are three agent-less methods, which involve collecting logs through direct connections to the source through the utilization of a network protocol or API call; via accessing log files straight from storage, usually in the Syslog format; and through an event streaming protocol such as Netflow, SNMP or IPFIX.

Collection of event data through direct connections to the source by utilizing a network protocol or API call entails remote code communicating over the network directly with a device. Conversely, the accessing log files directly from the storage, usually in the Syslog or event log format utilizes an agent writing code, writing to a dedicated log repository which is often a WMC or RPC. Finally, log collection through an event streaming protocol such as Netflow, SNMP or IPFIX involves receivers accepting a log file stream.

The agent-based method is more popular than the agent-less process as it can use several technologies to collect data, comprising high efficient direct API access. Furthermore, agent-based techniques can elicit corrective actions locally, even in instances where the agent is inaccessible. On the other hand, the agent-less methods can only collect log files that are made available by the remote protocol.

Get your
100% original paper
on any topic

done in as little as
3 hours
Learn More

In conclusion, data collection in SIEM technology is a relatively simple process; however, the existence of numerous variations makes the process to be complicated. Through the use of agent-based and agent-less data collection techniques, SIEM has been able to overcome this barrier and gather the information required for security purposes.


Amoroso, E. G. (2012). Collection. In Cyber attacks: Protecting national infrastructure (Chapter 8). Elsevier.

Inns, J. (2014). The evolution and application of SIEM systems. Network Security, 2014(5), 16-17. Web.

Shivhare, P., & Savaridassan, P. (2015). Addressing security issues of small and medium enterprises through enhanced SIEM technology. International Journal of Science and Research, 4(4), 1241-1243.

Print Сite this

Cite this paper

Select style


StudyCorgi. (2021, August 12). Collection Methods in a SIEM. Retrieved from

Work Cited

"Collection Methods in a SIEM." StudyCorgi, 12 Aug. 2021,

1. StudyCorgi. "Collection Methods in a SIEM." August 12, 2021.


StudyCorgi. "Collection Methods in a SIEM." August 12, 2021.


StudyCorgi. 2021. "Collection Methods in a SIEM." August 12, 2021.


StudyCorgi. (2021) 'Collection Methods in a SIEM'. 12 August.

This paper was written and submitted to our database by a student to assist your with your own studies. You are free to use it to write your own assignment, however you must reference it properly.

If you are the original creator of this paper and no longer wish to have it published on StudyCorgi, request the removal.