Skip to content

Getting Started

LogSentinel SIEM works by collecting data from multiple sources, detecting threats and allowing for an efficient incident response. The general flow looks as follows:

LogSentinel SIEM flow

The steps that an organization would normally take when working with LogSentinel SIEM


Registering an account is easy and leads you to an empty dashboard. The registered user becomes the account administrator (this can be changed later). Registration is free, so this step can be done prior to purchasing subscription in order to test the service.

Connecting the first source

First, you need to define the data source in the LogSentinel SIEM UI form the "Data source" menu item. You can ignore most properties for now and just set a friendly name.

Then the actual source can be connected in several ways:

  • LogSentinel Collector - check the documentation to connect an ActiveDirectory, an application text file or to set a firewall's syslog endpoint.
  • Cloud integrations - just to to the "Integrations" page on the menu and connect to any of the supported SaaS and IaaS.
  • Agent - install the endpoint agent locally and configure it to collect local logs. The agent is Wazuh/OSSEC compatible.
  • LogSentinel SIEM API - send audit logs directly to LogSentinel SIEM by connecting applications via the LogSentinel API.

Execute queries

Queries can be written in two formats:

  • Lucene - keys and values are separated by a colon, e.g. action:DELETE or params.sourceIP:
  • SQL - familiar SQL syntax, e.g. SELECT * FROM logs WHERE params.sourceIP=""