SIEM architecture: Data collection → Normalization (common schema) → Aggregation → Correlation engine → Alerting → Storage → Analytics dashboard. Scalability: distributed vs. centralized.
SIEM performance scales with data volume — plan storage and compute accordingly. EPS (Events Per Second) is the primary sizing metric. Normalization (parsing different log formats) is critical — poor parsing = missed detections.