As you dig deeper into the topic of log collection and SIEM, you might
come across some IT terminology or acronyms you haven’t encountered before. In
this article, we are going to enumerate and explain the most commonly used IT
expressions in the fields of IT security and log collection, in order to
make your research easier.
A computer program deployed on a device that will perform a certain
set of tasks based on instructions set on the agent software, either from a
template or based on a unique configuration file, as to how logs will be
collected on that device.
2. Agent-based log collection:
A mode of log collection in which an agent is installed on each device, which
then collects, parses and forwards logs to the log collection server. The agent
also converts the logs into the required format before forwarding.
3. Agent-less log collection:
A mode of log collection in which the source of the log events (a host, client,
device, etc.) forwards the logs directly to a remote log collection host
without using an agent. There are cases when agent-based log collection is not
feasible, usually due to technical, administrative, or compliance reasons.
4. Audit log:
A type of log that contain a non-repudiable record of IT system events. It
contains information that is compliant from an auditing standpoint -
such as the destination, source address, and timestamp.
5. CEF (Common Event Format):
A text-based log format developed by ArcSight™ that contributes to
the interoperability of security information gathered from different security
and network applications or devices. CEF ensures that logs are in a
standardized format which makes analysis easier and faster.
6. CSV (Comma-separated values):
A data format which uses commas as a delimiter to separate data values.
It is mostly used to store numbers and text in plain text format.
7. Data sources:
Applications, devices, hosts, or systems within an enterprise infrastructure
that generate event and incident logs, which can be sent to a SIEM or Log
Management suite for processing and analysis.
8. DNS logging:
Capturing one or more types of events generated either by DNS servers or the
queries sent by DNS clients to a DNS server. Attackers use DNS for many
malicious activities, like data theft, DoS, or Command and Control attacks. DNS
monitoring is crucial to revealing the onset of such attacks so that they can
be thwarted before any damage is done.
9. Endpoint security application:
An application that secures devices used by workers within an enterprise,
such as laptops or desktops, which can be possible points of entry for
malevolent attackers and exploiters. Logs generated by these applications
include anti-virus logs.
10. EPS (Events Per Second):
The standard unit of measurement for log processing rate: how many events an
application can process in one second. Most SIEM tools' pricing depends on
EPS capacity requirement.
11. ETW (Event Tracing for Windows):
A kernel-level mechanism in Microsoft Windows that enables the recording of
kernel or application-defined events with a high level of efficiency. It can
be used to trace the activities of attackers and output into log files.
12. Event Correlation:
The process of data analysis based on predetermined rules. It uses logs
collected from applications, hosts or other agents, then identifies
relationships based on a set of criteria.
13. GELF (Graylog Extended Log Format):
A JSON based format popularized by Graylog, it contains structured log data so
that the fields are already available for analysis. A great format for
logging on Graylog2 or GELF compliant tools.
A common language-independent open standard file format and data interchange
format. It enables log data to be structured and standardized in
attribute-value pairs. The Unicode encoding makes this messaging format
15. Kernel log:
A set of detailed information a devices logs from boot-time about hardware
drivers, kernel status, and other kernel events on the system.
16. KVP (Key-Value Pairs):
Also called "name-value pairs", this is what enables log messages to hold
structured data that is easily read and processed by humans and machines.
17. LEEF (Log Event Extended Format):
A log format used by IBM Security QRadar products. It describes an event using
key-value pairs, and provides a list of predefined event attributes. It has a
customized event format with UTF-8 character encoding.
18. Log centralization:
The process of collecting log data from multiple log sources and
sending them to a central and accessible log collection system, in order to
manage them in a transparent and unified interface.
19. Log normalization:
The process of grouping and formatting all log entries generated by different
devices or systems into a unified structure, which can be accepted by the SIEM
software for analysis.
20. Log parsing:
The process of extracting relevant data from the value field of a log. The
value field can be the raw message itself or other attribute.
21. MSSP (Managed Security Service Provider):
A third-party that provides security monitoring and management solutions for
clients, such as intrusion detection, vulnerability scanning or
22. Multi-line logs:
A type of log that uses multiple lines for storing each event record. A
typical example of this is a stack trace log, which starts with a timestamp
followed by an error message and finally the stack trace. These logs yield
highly important information for debugging and troubleshooting.
23. NetFlow data:
Data collected by NetFlow, a Cisco network protocol designed to log and monitor
IP traffic. Using Netflow data, one can analyze the source, destination, and
volume of IP traffic.
24. Open Source:
Software which has its source code open to the public, so that developers can
modify and adapt it to their specific needs. Moreover, the distribution of
the entire software package or any of its components is not restricted by any
25. SCCM (System Center Configuration Manager):
A suite available on Windows systems that enables administrators to remotely
manage applications on a large number of Windows-based computers. This is
especially useful in an enterprise environment for deploying upgrades or new
software to Windows workstations and servers.
26. SEM (Security Event Management):
A computer security discipline with the purpose of storing and interpreting
events and logs on a network. It uses real-time monitoring and event
correlation to inspect all recorded data.
27. SIM (Security Information Management):
A computer security discipline that aims to collect log files into a
centralized repository for long-term analysis.
28. SIEM (Security Information and Event Management):
IT security solutions that analyze security logs arriving from endpoint data
sources. They generate alerts for SOC teams about potential issues, and can
generate security reports for compliance purposes.
29. SNMP (Simple Network Management Protocol):
An Internet Standard Protocol that is used for network monitoring. It is
commonly used to collect and organize security logs and events arriving from
managed devices on IP networks. It can also be used to modify information in
order to alter device behavior.
30. SOC (Security Operations Center):
A facility where IT security teams work, whose responsibility is to monitor and
analyze an enterprise’s security 24/7. Their job is to detect, measure and
solve security incidents.
31. Structured logging:
The act of structuring unstructured data to facilitate analysis and log
parsing. Commonly used formats are JSON, CSV, XML, or KVP, among others.
An IT standard for message and event logging. It can be used by any
application or device to report on its status, incidents, and diagnostics to a
logging server. It is commonly used by network equipment, like routers,
switches, and Unix systems.
33. TCP (Transmission Control Protocol):
An Internet Protocol computers use to communicate with each other. It
provides reliable, ordered, and error-checked delivery of a stream of octets
(bytes) between applications.
35. UEBA (User and Entity Behavior Analytics):
A cybersecurity practice that utilizes event logs to learn from the behavior of
users or networks to create models based on them. Using these models, it is
easier to recognize malicious activity or signs of a cyberattack.
36. UDP (User Datagram Protocol):
An Internet Protocol used by computers to send messages and data to
each other. It does not establish a formal connection before sending data, and
is therefore not reliable and packets may be lost.
A design approach, not allowing a single vendor to control or dictate
specifications, definitions, or distribution of a given technology. Being
vendor-neutral equates to broad compatibility and interchangeability of tools
and technologies. Vendor-neutrality enables easier integration and seamless
processes that are important when integrating log collection across different
38. W3C Extended Log File Format:
An ASCII log format with permits for customized log fields allowing to
include only relevant fields and omitting unwanted fields. The format is
readable by generic analysis tools.
39. WEC (Windows Event Collector):
An agent-less solution to collect events from Windows computers.
In this process, a Windows server acts as the "collector" and the other
computers send the required events to it.
40. WEF (Windows Event Forwarding):
A native Windows service that provides event forwarding capabilities. It reads
the operational and administrative Windows Event Logs generated by a
chosen device and forwards the necessary logs to a WEC (Windows Event
41. Windows Event ID:
Information about each event is stored in the Windows Event Log in an event
log record. A sequence of numbers, called the RecordNumber, refers this
type of event known as Event IDs. These are unique per source but are not
globally unique. The same ID may be used by different sources to identify
42. WMI (Windows Management Instrumentation):
An operating system interface, in which security components provide a
notification. It provides an infrastructure for managing
remote systems and providing management data. WMI event logs can be collected
via Windows Event Log or ETW.
Now that you are aware of the most commonly used terms when talking about log
collection, log analysis, and IT security, you can continue your research and
delve deeper into these topics. We hope this glossary will eventually help you
find solutions and answers to your security log management issues and