Systems create event logs that are sometimes the only indicator that something is amiss. The original design intention of logs is that they exist for one of two purposes: to review on a periodic basis as a way of looking for unwanted events, and for forensic purposes in case an incident or breach happens – so that investigators can piece the clues together and see whether the butler did it with a candlestick (if you don’t know the game, Clue!, then just ignore our pithy humor).
We remember “back in the day” when sysadmins would check logs first thing in the morning to see what was amiss. But as sysadmins got busier, guess what was the first daily task to fall by the wayside: you got it – reviewing logs. Soon after, the mere existence of logs was practically forgotten. Logs had become only a forensic resource – but in for them to be useful, you must know that an unwanted event has occurred!
Enter the Security Information and Event Management system, or SIEM for short. A SIEM does what no sysadmin could ever do: it monitors log entries from all systems and network devices in real time, correlates events from various systems and devices, and automatically creates actionable alerts on the spot when unwanted events occur.
Not everyone has a SIEM. Many of those who don’t, don’t review logs either. We strongly discourage this form of negligence, for it is essential that an organization be aware of what is happening in its environment.
– excerpt from an upcoming book
Peter H. Gregory 