Up
Previous Next

Sheriff CSM™

Log Collection and Normalization in Sheriff CSM

The Sheriff CSM plugins process data collected from different data sources, parse and normalize the data, and save that data as standard format events in the SIEM database. Users can then view and analyze these events in the Sheriff CSM web UI.

Plugins define

• How to collect information from an application or device
• How to normalize the collected information before sending data, in the form of standard format events, to the Sheriff CSM Server

A plugin is a software component that provides logic specific to extracting data collected from external applications and devices. Plugins are enabled in Sheriff CSM Sensors (Deputies), which receive data from remote hosts using the following sources or protocols

• Syslog
• Windows Management Instrumentation (WMI)
• Security Device Event Exchange (SDEE)
• Database
• Other protocols

Any system that processes logs requires a parser to read them, and to extract and convert their data into standard event fields. The following illustration shows the way in which a Sheriff CSM Sensor collects syslog messages from different devices, where enabled plugins can then process and normalize the event data contained in specific log files.

Sheriff CSM log collection diagram

During data normalization, a plugin evaluates information from each line of a log file and translates it to an event that identifies the event's type and subtype within the Sheriff CSM taxonomy. (See Sheriff CSM Event Taxonomy.) Normalization also converts portions of each log line into common data fields such as user, date and time, and source or destination IP address.

Log normalization process

Normalizing information into standard event data fields lets Sheriff CSM display information uniformly and also correlate events from various individual systems to generate alarms.