A security information and event management (SIEM) system is a software solution that attempts to solve several of the issues discussed in the previous section. It is designed to centralize storage and normalize log files from a wide variety of applications and devices. Most include real-time analysis and notification features that alert systems administrators immediately if the SIEM recognizes an attack in progress.

SIEMs also simplify the task of manually analyzing log files because they give a consistent interface and the ability to cross-reference logs from a variety of devices, such as a firewall, router, web server, and an intrusion detection system.

Integrating the SIEM with applications is more difficult due to a lack of standard auditing policies. Even if applications developed in-house follow a strict auditing and logging policy, third-party applications may not. The SIEM cannot analyze logs that were never created. An application without an audit trail or with logs that are never monitored is an obvious target for an attacker.

Consider the case of a pharmaceutical company running a Windows web farm. The servers generated a large amount of data every day—far too much for systems administrators to analyze manually. For years, those logs had simply been rotated and overwritten. The company decided to implement a web-based email system and realized it needed to pay more attention to security on its web servers. Personnel implemented an SIEM solution and quickly discovered that probe attacks against their web servers were being launched from a foreign university every 15 minutes. Without the SIEM, the pharmaceutical company would not have realized it was under scrutiny until it was too late to prevent an attack.