FirewallFortinet

How to Use SIEM for Firewall Log Analysis

Sanjay Seth
May 24, 2025
254 0
0
96
3
Shares
SIEM tools make firewall log analysis more effective.

The Evolution of Cybersecurity and the Power of SIEM

OK, so I sit down at my desk – and I’m my third cup of coffee, plus I’m bombarded from some lingering residual buzz from my visit to DefCon (hackers village at that con was just way too sick), all right? Remembering my early days as a network admin in 1993 managing voice and data muxing over PSTN, the evolution of cybersecurity is insane. Estabe / M-SUR / Getty Images It’s funny… Even now, when I hear about organizations that continue to struggle parsing and analyzing firewall logs, I chuckle – Let me tell you why: SIEM tools have forever changed how we monitor security; and specifically, firewall logs.

What is SIEM?

Security Information and Event Management — SIEM — is a fancy term for the equivalent of a car’s dashboard in the digital world. I remember during the Slammer worm outbreak in the late 90s spending many a night splicing logs together manually, fishing for anomalies on various systems, hoping to find that one thing before it got huge. SIEM automates that headache. It tracks, normalizes, and analyses logs from your network — including your firewalls; all in real time.

SIEM is basically a mechanic who with Formlabs can not only see your engine trouble but also predict future ones. It’s the nervous system of your defense strategy in cyberspace.

But… and this will be a big BUT — not all SIEM tools are alike. More on that later.

Firewalls Integration to SIEM

Firewalls churn out heaps of log data every day, tracking who is coming into the network who’s leaving and many times, who’s trying to sneak past the gates. Manually reading through those logs? Impossible, unless you want to live underground.

Here at P J Networks we focus on ensuring those firewall logs are easily feeding into your SIEM solution – whether it’s Cisco ASA, Palo Alto, Fortinet or whatever else it may be. Integration is not simply plug and hope for the best, however. It’s about these key points:

  • Making sure we have complete logs: No logs = no threats. Verify your firewall’s log export configuration.
  • Time sync: If your timestamps are off your correlation is junk.
  • Log format unification: Different companies speak different languages. SIEM translates.

Here’s the deal – if your SIEM isn’t plugged in right, then it’s not much more than a dust collector. I’ve watched banks with the most ornate zero-trust architectures go blind because their logs weren’t being fed in correctly. It’s sort of like installing bulletproof glass on your car and leaving the doors unlocked.

Log Correlation

If raw logs are our cyber meal ingredients then log correlation is the cooking method. It’s how SIEM tools link together isolated logs — firewall hits, VPN connections, server alerts — to show suspicious patterns.

“We used to back in the early 2000s, before SIEM was a thing, have to write a script or spend hours with spreadsheets,” Therrien said. Painful. Now, correlation engines do that heavy lifting for you.

Example? So you notice your firewall is seeing some failed login attempts from (multiple) an unknown IP and just then a login success. The SIEM correlates that with alerts from your endpoint protection detecting suspicious file access. Bam! Instant threat detection.

What I love (and sometimes hate) about this phase:

  • Context is the ruler: Correlation is everything but it requires precise and complete data.
  • False positives: SIEMs can throw a fit about strange-but-harmless behavior — tuning is also key.
  • Historical baselining: SIEMs learn what “normal” is — but if your network changes, your baselines have to change, too.

One thing I continue to caution folks on: don’t lean too heavily on the rules of default correlation. They are generic and can lead to alert fatigue. Customize!

Automating Incident Response

Now, this is where SIEM really comes into its own. Manual response of incidents is so 2008 and quite frankly doesn’t cut it. Since automation allows you to react faster than any human can.

When I assisted three banks in adopting zero trust recently, automation of incident response via their SIEM made a huge difference. Imagine this:

  • SIEM sees external traffic that is not common to outbound on port number n
  • It immediately initiates a firewall policy change to disallow such traffic
  • Creates a ticket in your helpdesk software for your team to look into;

Boom. Threat neutralized — before your security team has even seen the alert. That’s not just cool. It’s essential.

But be aware — automation without adequate controls is chaos. I’ve watched crude SOAR (Security Orchestration, Automation and Response) solutions completely lock down some of the most critical systems in an organization because the SIEM wasn’t properly configured to understand context. As if you gave the car keys to your dog because he barked.

Choosing the Right SIEM Tool

Let me be blunt. No, I’m always suspicious of any security vendor that slaps an AI-powered sticker on their product and says it’s a silver bullet. AI is great — in moderation. But too many use it as a crutch to obscure bad integration or incomplete information. Your SIEM must be:

  • Flexible: Works with your current firewalls, routers, and servers
  • Scalable: Can expand as needed, without becoming a bottomless money pit
  • Customisation: Fits to your specific environment, not the other way around
  • User-friendly – your team must be able to understand what’s happening instead of drowning in alerts

At P J Networks, we compare SIEM based on this criteria before we propose. Because in the end, this isn’t about the fancy dashboard, it’s about practical, effective, long-term security monitoring.

Quick Take

  • The security information and event management takes care of more automation and centralized firewall log analysis
  • It is mandatory to integrate and normalize properly.
  • Log correlation make sense out of mountains of data
  • Automate incident response—be sure to test your playbooks heavily
  • Be cautious with SIEM tools: Don’t believe the hype, focus on legitimate capabilities

Wrapping Up

You see, my travels began at a time when cyber threats were viruses that traveled by floppy disk and crude worms like Slammer. Today, the fight is on new grounds — and SIEM, when implemented properly, is your first and best line of defense.

Firewall logs are a gold mine for threat detection – don’t let them get buried underneath mountains of noise. Discipline your SIEM system like you would a trusted mechanic — always tuning and maintaining the overall health of your network.

And if you’re still conducting firewall log checks using a spreadsheet (or even worse, by your gut)—it’s time for a reality check. Get in touch. At P J Networks, we are are all about Cyber security and technology. We’ve done this by assisting banks, enterprises, and startups to match SIEM with firewalls in ways that make sense.

For the simple reality is this — in cybersecurity, visibility is your lifeblood.

Sanjay Seth

Sanjay Seth

What's your reaction?

Related Posts

1 of 238
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.
© 2025 Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog - Fortinet Firewall CyberSecurity Networksecurity PJNetworks NAC Solution Blog by Sanjay Seth.