4.2.2. Log Aggregation and SIEM

Syslog: Standard protocol for sending log messages. Devices send logs to a central collector for storage, search, and analysis.

SIEM (Security Information and Event Management): Correlates logs from multiple sources (firewalls, servers, applications) to detect security events. Provides:

• Centralized log storage
• Real-time correlation rules
• Alert generation
• Forensic investigation tools
• Compliance reporting

Packet Capture: Records actual network traffic (full content). Extremely detailed but storage-intensive. Used for deep analysis and forensics.

Port Mirroring (SPAN): Copies traffic from one or more switch ports to a monitoring port. Enables capturing traffic without being inline.