Log Management vs. SIEM
See how security solutions compare
June 9th, 2020
First of all, log management tools and Security Information and Event Management (SIEMs) tools are more complementary than competitive. Yes, they broadly overlap in that they both process event data, however, they are designed and utilized to meet different use cases. And there are those who want the flexibility to design their own SIEM using a modern log management tool.
Log management tools are primarily designed to collect any kind of machine-readable data, and provide optimized storage and search capabilities for it. SIEMs are primarily designed to provide a security overview of a system. While savvy practitioners can adjust either to meet similar needs, the best use case for either solution is to deploy them in a way that corresponds with their greatest strengths. Therefore, it’s more appropriate to run a log management tool alongside a SIEM tool as a means to add additional data for better context, and use it for faster search and better storage.
To provide a more complete understanding of SIEMs and log management tools let’s divide their features into three categories: features primarily found in SIEMs; features primarily found in log management; and the advantages of using the two together.
Features primarily found in SIEMs:
Data analysis correlation
Selective data sources
Advanced Automation tools
SIEMs are designed to filter millions of events into a few alerts using data analysis and event correlation. They are typically rich in security features which can include reporting and investigation of security incidents, alerts based on a certain rule set to indicate a security incident, and report-generating tools that can assist in compliance. With this complexity, SIEMs can become expensive to maintain and operate. They can make compromises in speed and comprehensiveness of data because they are attempting to be exhaustive in their scope of features. Through their pricing models, SIEMs may place pressure on not including all possible data sources.
Features primarily found in log management:
Inclusive of all data sources
Long-term data retention
Modern log management tools emphasize bringing in data from a wide variety of sources as quickly as possible, and providing users with a comprehensive way to search their data as soon as it comes in. They are built to collect and store millions of events per second, and compress and store them efficiently. The core strengths of log management address many of the concerns with SIEMs. They provide a full picture of all data from a system at a lower cost with less maintenance, and they’re able to store it longer than a SIEM.
Benefits of using both log management and SIEMs together:
Make extensive use of log data
Can be used for threat hunting
Can help meet compliance requirements
Provide alerts and automation
In Gartner’s article Use Central Log Management for Security Operations Use Cases (subscription required), they explore this use case:
“Central log management is an important, but often undervalued, tool for an organization’s threat management capabilities and compliance requirements. Security and risk management leaders can benefit from the adoption of a log management tool for multiple security operations use cases.
“Modern security operations center activities require access to log data from a variety of sources that may be too expensive to consume in a SIEM solution. However, analysts investigating events may need access to this additional data for context and correlation, and threat hunters need access to a broad scope of data to do their job.” 1
Both tools make extensive use of log data. SIEMs focus on curating, analyzing, and filtering that data before it gets to the end-user. Log management focuses on providing access to all data, and a means of easily filtering it and curating it through an easy-to-learn search language.
Both SIEMs and log management can be used for threat hunting. SIEMs typically take longer to alert users to threats, and may miss some threats because they don’t have a complete data set. Log management can alert users to threats quicker, and can support a more hands-on and comprehensive approach to threat hunting.
SIEMs meet compliance by providing audit reports. Log management helps compliance by providing low-cost storage of data for long periods of time.
Log management and SIEMs both provide alerts and automation. Powered by real-time search results, log management takes less time than SIEMs to share alerts and trigger responses. SIEMs provide a more complex way of managing your automation response by allowing you to build playbooks of automated responses supplied by the SIEM vendor.
Differences in cost
Functionally, SIEMs provide richer features, but this also means they cost more in maintenance, training, and license costs. Modern log management tools can alleviate some of this cost by taking over for SIEMs in processing and storing much of the log data.
Powered by efficient storage and search design, Humio log management provides the lowest total cost of ownership (TCO) for modern log management. Its cost-savings are so effective, it can be deployed to replace bulk log collection and lengthen data retention for SIEM users. It works with industry-standard file shippers, like Filebeat and Splunk Universal Forwarder, making integration seamless.
See how to use log management alongside a SIEM in our How-To Guide: Use log management as the foundation of the security stack.
Explore additional security use cases for log management at humio.com/secops.
Learn more about the relationship between log management and SIEMs with these articles:
1. Gartner: Use Central Log Management for Security Operations Use Cases, Mar 20, 2020, Toby Bussa, Kelly Kavanagh, Mitchell Schneider (Gartner subscription required).