ABSTRACT
Thus far, we have built a highly scalable distributed heterogeneous log consolidation and correlation architecture, based on a commercial off-theshelf (COTS) product with a strong and flexible rules engine. Examples of how to apply these rules were demonstrated in Chapter 5. In this section we dig deeper into the reporting aspect of log consolidation Security Incident Manager (SIM) and Security Event Manager (SEM) infrastructure. We also look at the benefits of focusing on event reporting and differentiate “alerting” from active logging and security event reporting. The combination of these features makes up the overall management aspect of SIM/SEM and SAM (Security Alert Manager).
