Back to Blog
Cybersecurity

SIEM, Syslog, and 5651: How to Build the Right Architecture?

SIEM, Syslog, and 5651: How to Build the Right Architecture?
We examine the installation steps of a correct logging architecture with SIEM, Syslog, and timestamp integration for 5651 compliance and enterprise cybersecurity.
Published
June 13, 2026
Updated
June 13, 2026
Reading Time
8 min read
Author
LeonX Team

Log data generated in enterprise networks is the most critical source of information not only for detecting cyber threats but also for meeting legal compliance requirements. For businesses operating in Turkey, Law No. 5651 imposes an obligation on internet collective use providers and hosting providers to store certain log data by signing it with a timestamp. However, many organizations misconfigure their Syslog infrastructure and SIEM (Security Information and Event Management) systems while trying to ensure 5651 compliance, which leads to both security vulnerabilities and legal invalidity.

In this guide, we will examine step-by-step how to set up a correct logging architecture where Syslog, SIEM, and 5651 timestamp components work together, which is both fully legally compliant and in line with cybersecurity standards.

Logging Architecture Components: Syslog, SIEM, and 5651

To set up a correct architecture, it is first necessary to correctly position the roles and relationships of these three main components.

1. Syslog (System Logging)

Syslog is a protocol that enables log messages generated by network devices (firewall, switch, router), servers, and applications to be transmitted to a central server in a standard format.

  • Role: To collect raw log data from source devices and transmit them to a central log server (Syslog Server).
  • Limitations: The Syslog protocol alone does not interpret, correlate, or apply legal timestamps to data. It is merely a transport and storage mechanism.

2. SIEM (Security Information and Event Management)

SIEM is a system that collects, normalizes, analyzes log data from different sources in real-time, and generates alerts by correlating security events.

  • Role: To establish meaningful connections between logs (e.g., detecting a successful login event following consecutive failed login attempts) to catch cyber attacks instantly.
  • Limitations: SIEM systems are excellent for cybersecurity operations, but they cannot always directly perform the signing process with the TÜBİTAK timestamp required by Law No. 5651 as a built-in feature.

3. 5651 Timestamp

The hash values of IP distribution logs, DHCP logs, and firewall traffic logs collected within the scope of Law No. 5651 must be signed through an authorized timestamp server (usually TÜBİTAK Kamu SM) in order to have legal evidence value.

  • Role: To legally prove that the log file has not been modified (its integrity has been preserved) since the moment it was created.

How to Design the Right Logging Architecture?

It is best to set up a hybrid architecture that will both feed your cybersecurity operations (SOC) and legally guarantee 5651 compliance. Here is the step-by-step correct architecture setup:

[Network Devices / Servers]
         │
         ├───► (Syslog / TLS) ───► [Central Syslog / Log Collector]
         │                                │
         │                                ├───► [5651 Signing Module] ───► [Timestamped Archive]
         │                                │
         └───► (Agent / Syslog) ──────────┴───► [SIEM Platform (Wazuh / ELK)]

Step 1: Secure Transmission of Raw Logs (Syslog over TLS)

Logs should be encrypted while being transmitted from sources such as firewalls, switches, and DHCP servers that generate logs to the central collector. Traditional Syslog transmissions over UDP port 514 are unencrypted and can be read/modified by eavesdroppers on the network.

  • Solution: The Syslog over TLS (TCP port 6514) protocol should be used for log transmission. In this way, the integrity and confidentiality of the logs from the source to the collector are protected.

Step 2: Segregation of Logs and Filtering

Not all log data has to be stored within the scope of 5651. For example, detailed debug logs of a server take up unnecessary space for legal compliance but can be valuable for SIEM.

  • Solution: By defining rules on the central log collector, IP logs required for 5651 (DHCP, NAT, Firewall traffic logs) should be directed to the signing module, and all logs required for security analysis should be transmitted to the SIEM system.

Step 3: 5651 Timestamp Integration

Logs segregated for 5651 should be automatically compressed (zip/tar.gz) daily (after 00:00 every night), hashed, and signed with the TÜBİTAK Kamu SM timestamp.

  • Critical Rule: Signed log files and timestamp certificates (files with .tsr extension) must be stored in a secure and unalterable storage area for at least 2 years. To learn more about the importance of log integrity, you can review our Why Log Integrity is Critical in 5651 Compliance? guide.

Step 4: SIEM Correlation and SOC Monitoring

Log data transmitted to the SIEM side must be continuously monitored by security analysts. To monitor activity on your network and catch threats instantly, you can benefit from our SOC-Focused Security Incident Monitoring and Response service.

Common Mistakes in Architectural Installation

The most common mistakes organizations make when setting up their logging infrastructure are:

  1. Setting up only SIEM and forgetting 5651: SIEM systems keep logs in a database, but these database records may not be accepted as legal evidence in court unless they are in the legally timestamped file format.
  2. Using only a 5651 signing appliance: These appliances ensure legal compliance but cannot detect cyber attacks. If there is a breach in your network, you will not notice it.
  3. Not checking timestamps: Failure to sign logs due to running out of timestamp credits or expired certificates will lead to administrative fines during audits.

Holistic Security and Compliance Solutions

Combining legal compliance and cybersecurity operations when designing your logging architecture provides your organization with both cost and operational efficiency advantages. To set up an integrated structure with powerful open-source tools, you can examine our Wazuh / Snort / Suricata Security Integration solutions.

Additionally, to better understand the technical and administrative differences between 5651 compliance and KVKK, you can check out our article What is the Difference Between 5651 and KVKK?.

To protect your organization's IT infrastructure against cyber threats, prepare fully for legal audits, and perform professional logging architecture installation, you can contact us to work with our Managed Services team.

Frequently Asked Questions

Can Syslog data be used directly as evidence in court?

No. Since raw Syslog data is in plain text format, it can be easily modified. In order for this data to gain legal evidence value in court, it must be signed with an authorized timestamp (TÜBİTAK Kamu SM, etc.).

Can SIEM and 5651 logging systems run on the same server?

Technically yes, but it is not recommended. SIEM systems are intensive analysis tools that consume high CPU and RAM. 5651 logs, on the other hand, must be archived continuously and securely. Therefore, logically or physically segregating the two structures is the most correct architectural approach.

How long are we obliged to store 5651 logs?

In accordance with Law No. 5651 and relevant regulations, it is a legal requirement to store traffic and access logs for at least 2 years while protecting their accuracy, integrity, and confidentiality.

Conclusion

A correct logging architecture not only prevents legal penalties but also forms one of the strongest lines of defense protecting your organization's digital assets against cyber attackers. When the flexibility of the Syslog protocol, the analytical power of SIEM systems, and the legal assurance of the 5651 timestamp are combined, full visibility and full compliance in cybersecurity are achieved.

Internal Link Path

Continue to the most relevant service pages

Use the links below to move from this article to the primary service, the most relevant detail page and the contact flow.

Primary Service Page

Managed Services

Open Page

Relevant Subservice

SOC-Focused Security Incident Monitoring and Response

Open Page

Contact / Proposal

Contact Us

Open Page

Share this article

Facebook
Twitter
LinkedIn

Related Posts

Discover more on similar topics

How to Do Dell PowerStore Encryption for KVKK?
Cybersecurity
2026-06-12
7 min read

How to Do Dell PowerStore Encryption for KVKK?

We examine the configuration steps for data encryption (encryption at rest) on Dell PowerStore storage systems within the scope of Personal Data Protection Law (KVKK) technical measures.

Read Article
FortiGate HA (High Availability) Installation and Configuration Guide
Cybersecurity
2026-06-11
7 min read

FortiGate HA (High Availability) Installation and Configuration Guide

We examine the HA (High Availability) installation and configuration steps to ensure business continuity and establish an uninterrupted network infrastructure on FortiGate firewalls.

Read Article
How to Configure Dell PowerEdge Server for KVKK?
Cybersecurity
2026-06-10
7 min read

How to Configure Dell PowerEdge Server for KVKK?

We examine how to ensure the security of your Dell PowerEdge servers and the best configuration steps within the scope of the Personal Data Protection Law (KVKK) technical measures.

Read Article

Subscribe to Our Newsletter

Get the latest insights, trends, and expert advice delivered directly to your inbox. Join our community of IT professionals.

We respect your privacy. Unsubscribe at any time.