The present application relates generally to an improved data processing apparatus and method and more specifically to mechanisms for reparsing unsuccessfully parsed event data in a security information and event management (SIEM) system.
In the field of computer security, security information and event management (SIEM) software products and services combine security information management (SIM) and security event management (SEM). A SIM system collects data into a central repository for trend analysis and provides automated reporting for compliance and centralized reporting. A SEM system centralizes the storage and interpretation of logs and allows near real-time analysis that enables security personnel to take defensive actions more quickly. By bringing these two functions together, SIEM systems provide quicker identification, analysis and recovery of security events, SIEM systems also allow compliance managers to confirm that an organization's legal compliance requirements are fulfilled.
That is, a SIEM system collects logs and other security-related documentation for analysis. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from networked log sources such as end-user devices, servers, network equipment, and even specialized security equipment such as firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies.