Log collection or aggregation is the heart and soul of a SIEM solution. A SIEM should not be confused with SYSLOG data, which is a simple log generated by devices. Someone has to look at this log to find out the root cause of the alert. The idea is not only to collect log data, but to create a meaningful context from log data. SIEM platforms collect event logs from thousands of different sensors installed on various devices, and these events provide activity data, which is required to analyze the security of our IT environment. In order to get a 360-degree view, we need to consolidate what we collect onto a single platform to find out the pattern. Aggregation is the process of transformation for data transferring from different types of sources into a common repository and meaningful standard format.
For example, Event ID 10509 has resulted in login failure, and the logs are coming to the SIEM solution. It is very easy to read or correlate this event with an attack or an incident:
