SIEM and Log Management: A Practical Start for SMEs
Summary: SIEM collects firewall, AD, and endpoint logs in one panel and alerts on anomalies via correlation rules. Open-source tools like Wazuh fit SME budgets; the right deployment starts with the most important sources (AD, email, firewall).
Security incidents often announce themselves not with loud noise but with small anomalies in the logs. SIEM (Security Information and Event Management) solutions collect logs from firewalls, servers, endpoints, and cloud services into one center; they detect anomalous behavior with predefined rules. Even a lightweight SIEM deployment at SME scale significantly improves visibility.
Why Does SIEM Matter?
When log data is scattered, a security incident can go unnoticed for months. Common SME gaps:
- Firewall logs never reviewed
- Failed login attempts ignored
- Anomalous behavior on one device not checked across others
- Short log retention (hours instead of days)
- No records found during audits or after incidents
- Time stamps across devices not synchronized
- Log analysis attempted manually
SIEM centralizes this sprawl.
Core SIEM Functions
Collection and Normalization
Firewall (Syslog), Windows (Event Log), Microsoft 365, cloud services, and application logs are converted to a single format.
Rule-Based Alerts
Rules like "10 failed logins in 5 minutes," "admin account signed in from an off-office IP," or "a user downloaded 500 files in a single hour" produce alerts.
Correlation
Combines events from different sources. A chain of failed login + successful login + file access is flagged as suspicious activity.
Search and Investigation
After an incident, "what did this user do last week" is answered in seconds.
Reporting and Compliance
Ready reports are produced for KVKK and ISO 27001 audits.
SIEM Options Suitable for SMEs
| Solution | Type | Note |
|---|---|---|
| Microsoft Sentinel | Cloud | Azure integrated, pay-as-you-go |
| Wazuh | Open source | Free, mature, SME-friendly |
| Graylog | Open source | Log-focused, alert rules can be written |
| Splunk Cloud | Commercial | Powerful, high cost |
| Elastic SIEM | Open source/commercial | Search-focused, flexible |
For an SME start, Wazuh or Microsoft Sentinel are common choices.
Deployment Steps
- Identify log sources: Firewall, server, Microsoft 365, Active Directory, EDR
- Set retention: 90 days basic; 1-2 years for regulatory needs
- Choose and deploy the SIEM tool
- Enable rules: Start with the prebuilt rule library, customize over time
- Set a review rhythm: Daily quick look, weekly detailed review
- Integrate with incident response: When an alert arrives, who does what must be clear
- Improve regularly: Clean up false positives, add new threat scenarios
Common Mistakes
- Deploying SIEM and never writing rules
- Trying to log everything and overdoing retention
- Not setting up an alert-review process
- Skipping time synchronization (NTP)
- Not securing the SIEM server itself
- Skipping a critical log source (M365, EDR)
- Treating SIEM only as a compliance box, not extracting operational value
Real-World Examples
Example 1: Admin Login Alert at an Accounting Firm
At an accounting firm, an admin account was signed in from abroad at night. The SIEM rule alerted as "anomalous geography." IT locked the account immediately; a password leak was identified, and major damage was prevented.
Example 2: Bulk File Download at a Manufacturing Site
At a manufacturing site, a user downloaded hundreds of files in a short period. SIEM flagged the anomaly. Investigation showed the employee was copying data before leaving; the process was handled per internal policy.
Example 3: Compliance Report at a Consulting Firm
Before an ISO 27001 audit, a consulting firm realized its logs were not in an auditor-ready format. Logs were collected with Wazuh; during the audit, the necessary reports were produced instantly.
How Does Yamanlar Bilişim Support This Process?
Yamanlar Bilişim inventories log sources and selects the right SIEM at SME scale. Deployment, rule writing, alert flow, and reporting are designed together. It works in integration with the incident response plan.
Main areas where Yamanlar Bilişim can support:
- Log-source inventory and SIEM needs analysis
- Selecting the right tool (Wazuh, Sentinel, Graylog)
- Deployment and log-collection flow
- Custom alert rules for SMEs
- Alert-review process design
- KVKK/ISO compliance reports
- Integration with the incident response plan
- Regular rule improvement and false-positive cleanup
FAQ
Frequently Asked Questions
Is SIEM overkill for a small office?
Full-blown commercial SIEM yes, but lightweight solutions like Wazuh can be deployed in small offices too and deliver value.
How long should retention be?
For basic security 90 days; for compliance, 1-2 years is recommended. Regulatory requirements are decisive.
Does SIEM require a specialist?
You can start with the basic deployment and prebuilt rules. Specialization can be needed over time; SMEs can take external support.
Cloud SIEM or on-premise SIEM — which is better?
Cloud brings less maintenance overhead, on-premise gives more control. For most SMEs, cloud is preferred.
Who should receive the alerts?
One person suffers alert fatigue. Within a 2-3 person rotation, non-on-call teams are evaluated. Critical alerts are sent through multiple channels (email + SMS).
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Cybersecurity solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Insider Threat: Detection in SMEs
What insider threat is, how it's detected in SMEs, and the scenarios of leaving employees, negligence, and deliberate malice.
NDR (Network Detection & Response): Do SMEs Need It?
What Network Detection & Response (NDR) is, how it differs from EDR and SIEM, whether it's needed at SME scale, and how to evaluate solutions.
Web Filtering and URL Control: A Policy for the SME Office
Designing a web-filtering policy for the SME office — URL category management, the productivity-vs-security balance, and KVKK alignment.