Log Aggregation
What is Log Aggregation?
Log AggregationThe collection, normalization, and centralized storage of event logs from many systems into a single platform for search, analysis, and retention.
Log aggregation is the practice of shipping logs from servers, endpoints, cloud services, network devices, and applications into a central repository such as a SIEM or log lake. Agents or syslog forwarders gather raw events, normalize them into a common schema, enrich them with metadata, and write them to indexed storage so analysts can query across the whole estate. Aggregation is the foundation for detection, threat hunting, incident response, and compliance retention. Operational concerns include time synchronization, source coverage, parsing accuracy, storage cost, and protecting log integrity so attackers cannot tamper with evidence.
● Examples
- 01
Forwarding Linux auditd, Windows Event Log, and AWS CloudTrail into a single SIEM index.
- 02
Using a syslog relay to ship firewall logs to a cold-storage bucket for one-year retention.
● Frequently asked questions
What is Log Aggregation?
The collection, normalization, and centralized storage of event logs from many systems into a single platform for search, analysis, and retention. It belongs to the Defense & Operations category of cybersecurity.
What does Log Aggregation mean?
The collection, normalization, and centralized storage of event logs from many systems into a single platform for search, analysis, and retention.
How does Log Aggregation work?
Log aggregation is the practice of shipping logs from servers, endpoints, cloud services, network devices, and applications into a central repository such as a SIEM or log lake. Agents or syslog forwarders gather raw events, normalize them into a common schema, enrich them with metadata, and write them to indexed storage so analysts can query across the whole estate. Aggregation is the foundation for detection, threat hunting, incident response, and compliance retention. Operational concerns include time synchronization, source coverage, parsing accuracy, storage cost, and protecting log integrity so attackers cannot tamper with evidence.
How do you defend against Log Aggregation?
Defences for Log Aggregation typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Log Aggregation?
Common alternative names include: Centralized logging, Log collection.
● Related terms
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- forensics-ir№ 627
Log Analysis
The systematic review of system, application, and security logs to detect, investigate, and reconstruct security-relevant events.
- defense-ops№ 628
Log Correlation
Joining events from multiple log sources by shared fields, time windows, or sequence to reveal multi-stage activity that individual logs cannot show.
- defense-ops№ 416
File Integrity Monitoring (FIM)
A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.