Skip to main content

Security Information and Event Management system (SIEM)

Host-Centric Log Sources

They are logs collected directly from an individual device, such as a laptop, desktop, server, or virtual machine. They show what is happening on that specific host, including logins, process activity, file changes, software events, and system errors.

Example: A Windows Event Log on a company laptop showing that a user account logged in at 2:13 AM and then launched PowerShell.

Use case: A security analyst uses host-centric logs to investigate whether a single computer was compromised. For example, they may check the logs to see if malware ran, if an unusual user logged in, or if suspicious commands were executed.

Network-Centric Log Sources

They are logs collected from network devices and network traffic rather than from one specific computer. They show communication between systems, such as connections, allowed or blocked traffic, source and destination IP addresses, ports, and protocols.

Example: A firewall log showing that an internal computer tried to connect to an unknown external IP address over port 443.

Use case: A security analyst uses network-centric logs to detect suspicious communication across the network. For example, they can spot data exfiltration, command-and-control traffic, port scanning, or unauthorized remote access attempts.

SIEM

It stands for Security Information and Event Management. It is a security system that collects, combines, and analyzes logs from many sources, such as computers, servers, firewalls, and applications, so analysts can detect threats and respond faster.

Example: A SIEM receives login logs from Microsoft 365, firewall logs, and Windows event logs, then alerts the security team because it notices 20 failed logins followed by a successful login from a strange location.

Use case: A security analyst uses a SIEM to monitor an organization’s environment in one place. For example, it can help detect brute-force attacks, suspicious logins, malware activity, or unusual behavior across multiple systems.

Event Viewer

This is a built-in Windows tool that lets you view system logs on a computer. It records events such as login attempts, software errors, system warnings, service activity, and security-related actions.

Example: In Event Viewer, you might see a log showing that a user failed to log in several times before finally succeeding.

Use case: An IT or security analyst uses Event Viewer to troubleshoot problems or investigate suspicious activity on a Windows machine. For example, they can check whether a service crashed, whether someone logged in at an unusual time, or whether a program caused an error.

Linux log locations

They are the common folders and files where Linux stores system, application, authentication, and service logs. Most of them are usually found in the /var/log/ directory.

Example: /var/log/auth.log on Ubuntu or Debian systems stores authentication-related events, such as login attempts and sudo usage.

Use case: A system administrator or security analyst checks Linux log locations when troubleshooting issues or investigating suspicious activity. For example, they may review /var/log/auth.log to see failed SSH login attempts or /var/log/syslog to understand why a service failed.

Some common Linux log files are:

/var/log/syslog — general system activity /var/log/auth.log — logins, sudo, authentication events /var/log/kern.log — kernel messages /var/log/dmesg — boot and hardware-related messages /var/log/messages — general logs on some distros like CentOS/RHEL /var/log/secure — authentication logs on CentOS/RHEL /var/log/apache or /var/log/httpd -all apache-related logs

On systems using systemd, logs can also be viewed with: journalctl

Web server logs

They are records created by a web server that show requests made to a website or web application. They usually include details like the visitor’s IP address, date and time, requested page, HTTP method, response code, and sometimes the browser used.

Example: An Apache access log entry showing that a user visited /login from a certain IP address and the server returned a 200 OK response.

Use case: A security analyst or web administrator uses web server logs to monitor website activity and investigate issues. For example, they can use the logs to spot repeated failed requests, suspicious scanning, unusual traffic spikes, or errors affecting users.

Log Ingestion

This is the process of collecting logs from different sources and bringing them into a central system, such as a SIEM, for storage, searching, and analysis.

Common methods of log ingestion include:

  • Agent-based ingestion — a small software agent is installed on the host and sends logs to the SIEM
  • Agentless ingestion — logs are collected remotely without installing software on the device
  • Syslog — common for network devices, Linux systems, and security appliances
  • API-based ingestion — used to pull logs from cloud platforms and SaaS tools like Microsoft 365 or AWS
  • File-based ingestion — the SIEM reads logs from saved log files
  • Streaming or forwarding — logs are continuously forwarded in near real time
  • Manual or batch upload — logs are uploaded in chunks or at scheduled times