What is log management and SIEM correlation?
D4 ยท Operations ยท CompTIA Security+ SY0-701Log management involves collecting, storing, protecting, and retaining log data from systems, applications, and network devices. Logs are the primary evidence source for forensic investigation and compliance.
SIEM correlation adds intelligence โ applying rules and analytics to log data to identify patterns indicating threats that no single log source would reveal alone.
Log sources: firewalls, IDS/IPS, servers, endpoints, applications, cloud services, authentication systems.
Key log types: security logs (auth events), system logs (OS events), application logs, network flow logs.
SIEM correlation adds intelligence โ applying rules and analytics to log data to identify patterns indicating threats that no single log source would reveal alone.
Log sources: firewalls, IDS/IPS, servers, endpoints, applications, cloud services, authentication systems.
Key log types: security logs (auth events), system logs (OS events), application logs, network flow logs.
Logs must be protected from tampering (attackers delete logs to cover tracks). Send logs to a centralized, write-once system. Log retention periods are defined by compliance requirements (PCI DSS: 1 year minimum, 3 months online). NTP (time synchronization) is critical for log correlation โ mismatched timestamps make correlation impossible.