Welcome to 2002! Let’s discuss a timely topic … and, no, its not Y2K – that one is fortunately over.
The topic is: SIEM vs log management.
Yes, really! In 2017. This. Is. Still. A thing.
Frankly, I got too many questions like this and finally got mad.
Short version: if you really need log management, and you bought a SIEM and you only use it as a log aggregator, you are probably not having a good time. And you overpaid. This may lead you to think along the lines of “is ELK the best SIEM for me?” without any regard to the fact that ELK is not a SIEM. You, sir, never needed a SIEM! You needed log aggregation and log search, and ELK works well for that [probably not for petabyte scale though – note that the linked post was written in 2007…].
— Dr. Anton Chuvakin (@anton_chuvakin) July 11, 2017
Furthermore, yes, even now in 2017, there is confusion about “what is a SIEM?” vs “what is a log manager?” It is entirely possible that your IT and security requirements call for log aggregation and rapid log search – and for nothing else (so you only need log management). It is just as possible that they call for a robust real-time monitoring based on correlation and analytics, lots of security dashboards, etc (so you need both SIEM and log management, as we say here, and also perhaps a UEBA).
Finally, if you are really smart, you can use ELK as a foundational set of components to build your own SIEM, like these fine folks have done. But it will involve a lot of work.
To conclude, in a Capt Obvious fashion: it is all about the requirements. As it always is 🙂