Comparing Popular SIEM Data Pipeline Designs: Elastic , ArcSight, QRadar, and Splunk — Part 1

In this series we will provide comparative analysis of the pipeline designs of four popular SIEM solutions: Elastic SIEM, ArcSight, QRadar, and Splunk. This is following the discovery that most SIEM organizations don't publish certified design documents or any reference architecture and leave it for the businesses to decide what fit their needs and budget.

So my goal or motivation is to guide you or your organizations in selecting a SIEM solution that aligns with their security infrastructure and operational requirements. To provide clarity, a list with descriptions and diagrams will be included, as been said a picture is worth a thousand words.

Elasticsearch (ELK Stack)

I will begin with Elastic as it is currently gaining significant traction in the industry due to its robust search and analytics capabilities. Please note that the designs listed below serve as a baseline and can be enhanced to include a Redis cluster, multiple Logstash instances, several Elastic nodes, and a load balancer for data directed to the Logstash shipper, among other improvements.