A security event manager (SEM) is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software running on the network.
SEMs are a relatively new idea, pioneered in 1999 by a small company called e-Security, and in late 2005 are still evolving rapidly. Just a year or two ago they were called security information managers (SIMs) and are also called security information and event managers (SIEMs). SEMs can help satisfy U.S. regulatory requirements such as those of Sarbanes-Oxley, which require (among other things) that certain events, such as accesses to systems and modifications to data, be logged and that the logs be kept for a specified period of time. Many systems and applications which run on a computer network generate events which are kept in event logs. These logs are essentially lists of events, with records of new events being appended to the end of the logs as they occur. Well-defined protocols, such as Syslog and SNMP, can be used to transport these events, as they occur, to logging software that is not on the same host on which the events are generated.
It is beneficial to send all events to a centralized SEM system for the following reasons:
- Access to all logs can be provided through a consistent central interface
- The SEM can provide secure, forensically sound storage and archival of event logs
- Powerful reporting tools can be run on the SEM to mine the logs for useful information
- Events can be parsed as they hit the SEM for significance, and alerts and notifications can be immediately sent out to interested parties as warranted
- Related events which occur on multiple systems can be detected which would be impossible to detect if each system had a separate log
- Events which are sent from a system to a SEM remain on the SEM even if the sending system fails or the logs on it are accidentally or intentionally erased