News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Agent
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Open Telemetry
    Cost reduction
    Industries
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Pricing
    Licensing
    Plans
  • Partners
    Find a Reseller
    Partner Program
    Partner Portal
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Agent
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Open Telemetry
Cost reduction
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing

Licensing
Plans

Find a Reseller
Partner Program
Partner Portal

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk
  • Start free
  • Interactive demo
Let's Talk
  • Start free
  • Interactive demo
NXLog search
  • Loading...
Let's Talk
  • Start free
  • Interactive demo
July 15, 2026 compliance

Why the SIEM is the wrong layer to solve compliance: a pipeline-first framework for financial services

By João Correia

Share
ALL ANNOUNCEMENT COMPARISON COMPLIANCE DEPLOYMENT SECURITY SIEM STRATEGY RSS

When an auditor sits down with your team, they don’t ask whether you have a SIEM. They ask you to prove something: show me every privileged access event on this system for the last twelve months, timestamped, complete, and unaltered. Compliance in financial services isn’t a posture; it’s an evidence problem. And the moment you treat your SIEM as the place where evidence lives, you’ve put your audit trail on the most expensive, most volatile, and least complete layer of your stack.

That’s a strong claim, so let’s make the case.

The SIEM was built to detect, not to retain

A SIEM is an analytics engine. It’s optimized for correlation, alerting, and investigation over a hot window of data. None of that is the same as retaining a complete, demonstrable record of everything that happened across your environment. The mismatch shows up in three predictable ways:

Gaps at the point of collection

If a log source isn’t onboarded (a legacy core banking system, a Windows host that the native agent doesn’t fully cover, an air-gapped node, an OT segment), then it simply isn’t in the SIEM. From an auditor’s perspective, "we didn’t collect it" and "the control failed" look identical.

Cost pressure that quietly creates gaps

Ingestion-priced platforms make completeness expensive. The standard response (sampling, dropping "low-value" sources, shortening retention) is both a reasonable cost decision and a compliance liability. You don’t find out which logs you need until the audit or an incident requests them.

Vendor change resets your evidence

When you switch or add a SIEM (and over a DORA- or PCI-DSS-length horizon, you will), re-instrumenting every source means your historical, audit-ready record is tied to a product you no longer run.

A pipeline-first framework

The fix is to stop asking the analytics layer to also serve as a system of record and to put a telemetry pipeline underneath it. The pipeline’s job is the unglamorous, durable work that compliance depends on:

  1. Collect everything at the source. Every host, every OS, every format, including the legacy and Windows-heavy systems that native SIEM agents struggle with.

  2. Normalize and timestamp on the way through, so an event is audit-ready the moment it’s captured, not after a downstream parser gets to it.

  3. Retain independently of the analytics tier: full-fidelity records in storage you control, at a cost that doesn’t punish completeness.

  4. Route anywhere. Send the slice your SIEM needs for detection, send the complete record to retention, and send a subset to a second tool. You decide, per source.

This is the difference between NXLog Platform and a SIEM: it’s a pipeline, not a SIEM. It sits in front of whatever analytics tools you run and owns the part that the auditor grades.

Why this travels across regions

Financial institutions rarely adhere to a single framework. A pipeline-first model is deliberately region-independent. DORA, NIS2, and PCI DSS in the EU, and SOX, GLBA, NYDFS, FFIEC, and SEC requirements in the US, are different checklists asking the same underlying question: can you produce a complete, tamper-evident, retained record on demand? Solve it once at the pipeline layer, and you’re answering all of them, instead of re-solving compliance every time a new framework lands.

This isn’t theoretical. A business division of one of the world’s top-tier automotive groups, operating across direct banking, financing, leasing, insurance, and payments, set out to meet exactly this spread of mandates (SEC, SOX, PCI, GLBA, plus national and corporate regulations) by replacing a log-collection tool it considered obsolete and hard to manage. The goal it set wasn’t "buy a better SIEM." It was to build a single vendor-agnostic pipeline that could integrate old and new systems alike and feed into whatever downstream tools the business chose. On that foundation, the business achieved compliance. NXLog runs in financial institutions across both regions on the same principle, from European banks like La Banque Postale and QNB Finansbank to one of the largest banks in the US.

The controls auditors keep asking about

A pipeline is also where several recurring audit requirements are cleanest to satisfy, at the collection and routing layer rather than bolted on after the fact.

File integrity monitoring (FIM) to prove critical files and records weren’t altered:

<Input fim>
    Module          im_fim
    File            '/etc/*'
    Recursive       TRUE
    ScanInterval    3600
</Input>

Personally identifiable information (PII) handling to redact sensitive fields before data leaves the source, so a card number isn’t written to a log a downstream tool retains:

<Input app_logs>
    Module    im_file
    File      '/var/log/app/*.log'
    Exec      $raw_event =~ s/\b\d{13,16}\b/[REDACTED-PAN]/g; (1)
</Input>
1 Redact anything that looks like a card number before the event leaves the host. Treat this as a sample of what can be done. You’ll want to test this regex extensively prior to rollout.

And role-based access control (RBAC) governs who can see and manage telemetry centrally rather than per tool.

The takeaway

Your SIEM choice should be free to change. Your compliance evidence shouldn’t move when the SIEM does. Put the pipeline first, and the audit trail becomes an architectural property of your estate rather than a feature of one vendor’s product.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • Financial services
  • Telemetry pipeline management
  • Telemetry auditing
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Where your SIEM ingestion bill comes from: a financial services cost breakdown
4 minutes | July 14, 2026
Watching the watchers: The need for telemetry system observability
5 minutes | October 29, 2025
Current challenges in log and telemetry data management
8 minutes | June 24, 2025

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.13
June 9, 2026
Enterprise IIS log analysis software: top tools, use cases, and NXLog Agent integration
May 7, 2026
Announcing NXLog Platform 1.12
April 21, 2026
How to visualize telemetry data flow and volume with NXLog Platform
March 23, 2026
Security dashboards go dark: why visibility isn't optional, even when your defenses keep running
February 26, 2026
Building a practical OpenTelemetry pipeline with NXLog Platform
February 25, 2026
Announcing NXLog Platform 1.11
February 23, 2026
Adopting OpenTelemetry without changing your applications
February 10, 2026
Linux security monitoring with NXLog Platform: Extracting key events for better monitoring
January 9, 2026
2025 and NXLog - a recap
December 18, 2025
Announcing NXLog Platform 1.10
December 11, 2025
Announcing NXLog Platform 1.9
October 22, 2025
Gaining valuable host performance metrics with NXLog Platform
September 30, 2025
Security Event Logs: Importance, best practices, and management
July 22, 2025
Enhancing security with Microsoft's Expanded Cloud Logs
June 10, 2025

Categories

  • ANNOUNCEMENT
  • COMPARISON
  • COMPLIANCE
  • DEPLOYMENT
  • SECURITY
  • SIEM
  • STRATEGY
  • Products
  • NXLog Platform
  • NXLog Agent
  • NXLog Community Edition
  • Integration
  • Professional Services
  • Licensing
  • Plans
  • Resources
  • Documentation
  • Blog
  • White Papers
  • Videos
  • Webinars
  • Case Studies
  • Community Program
  • Community Forum
  • Compare NXLog Platform
  • Partners
  • Find a Reseller
  • Partner Program
  • Partner Portal
  • About NXLog
  • Company
  • Careers
  • Support Portals
  • Contact Us

Follow us

LinkedIn Facebook YouTube Reddit
logo

© Copyright NXLog Ltd.

Privacy Policy • General Terms of Business