Welcome to 2002! Let’s discuss a timely topic … and, no, its not Y2K – that one is fortunately over.
The topic is: SIEM vs log management.
Yes, really! In 2017. This. Is. Still. A thing.
Frankly, I got too many questions like this and finally got mad.
Short version: if you really need log management, and you bought a SIEM and you only use it as a log aggregator, you are probably not having a good time. And you overpaid. This may lead you to think along the lines of “is ELK the best SIEM for me?” without any regard to the fact that ELK is not a SIEM. You, sir, never needed a SIEM! You needed log aggregation and log search, and ELK works well for that [probably not for petabyte scale though – note that the linked post was written in 2007…].
— Dr. Anton Chuvakin (@anton_chuvakin) July 11, 2017
Furthermore, yes, even now in 2017, there is confusion about “what is a SIEM?” vs “what is a log manager?” It is entirely possible that your IT and security requirements call for log aggregation and rapid log search – and for nothing else (so you only need log management). It is just as possible that they call for a robust real-time monitoring based on correlation and analytics, lots of security dashboards, etc (so you need both SIEM and log management, as we say here, and also perhaps a UEBA).
Finally, if you are really smart, you can use ELK as a foundational set of components to build your own SIEM, like these fine folks have done. But it will involve a lot of work.
To conclude, in a Capt Obvious fashion: it is all about the requirements. As it always is
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
Fundamental Principles of Software Asset Management
Whether you've got too much software or not enough, uncontrolled software costs are a drain on your IT department, consuming resources...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.