Log Sources and Collection

Your SIEM is only as good as the data feeding it. Understanding what log sources to prioritize, how to collect them reliably, and what to do when collection fails is fundamental to effective security monitoring.

Prioritizing Log Sources

Not all logs provide equal security value. With unlimited budget and storage, you would collect everything. In reality, you prioritize:

Authentication systems are highest priority. Active Directory domain controllers, RADIUS servers, identity providers—these show who accessed what and when. Without authentication logs, you cannot detect credential abuse or unauthorized access.

Endpoint systems provide visibility where attacks happen. Windows Security logs show local authentication and process execution. Sysmon dramatically improves Windows visibility—process creation with command lines, network connections, file creation. EDR agents add even more detail.

Network security devices guard boundaries. Firewalls log allowed and blocked connections. Web proxies show HTTP traffic including URLs. DNS servers reveal domain lookups—critical for C2 detection.

Cloud platforms increasingly hold critical data. AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, and Microsoft 365 Unified Audit Log provide cloud visibility equivalent to on-premises infrastructure.

Business applications contain your actual data. Database audit logs, ERP transactions, and custom application logs often provide context other sources lack.

Collection Methods

Agent-based collection installs software on source systems. The agent parses logs, applies initial filtering, and forwards to the SIEM. This approach is reliable and offers detailed parsing but requires deployment and management overhead.

Agentless collection relies on built-in capabilities. Syslog forwarding sends data to a collector. Windows Event Forwarding pushes logs to a central server. API polling retrieves logs from cloud services. This is easier to deploy but may miss data if sources go offline.

Log aggregators add a layer between sources and SIEM. A dedicated log collection tier—perhaps Logstash or Kafka—receives data first, then forwards to the SIEM. This adds resilience and processing flexibility.

Ensuring Collection Health

Monitor your monitoring. Collection health dashboards should show sources sending data versus expected sources, data volume trends by source type, collection latency, and parser failures. When investigation reveals gaps—events missing from expected timeframes, sources silent for hours—treat it as a priority issue.