One common problem here, even when the devices are integrated successfully, there are chances that they stop communicating with the SIEM collector. In such a scenario, there should be a mechanism to detect those devices/servers, which do not send logs to the SIEM.
This mechanism should strictly be automated and an email and/or SMS alert should be generated.
Most of the SIEM products should have this functionality, unfortunately, not used extensively. At some places it is seen that the failure of logs collection from devices/servers are checked regularly with manual methods.
Such a practice should be avoided, else the SIEM would no more be a near real time monitoring system, at least for these devices/servers.
