EP250 The End of 'Collect Everything'? Moving from Centralization to Data Access?
Google Cloud, Monday, November 3rd, 2025
The discussion provides a strategic reframing of log pipelines, moving their perceived value far beyond the common "reduce the SIEM bill" narrative. Balazs Scheidler argues that modern, observable pipelines are critical infrastructure for data quality, classification, normalization, and management, which legacy tools and SIEMs are unequipped or disincentivized to handle.
The central thesis is that the industry's failure to solve basic data quality, parsing, and schema issues (illustrated by a story of corrupted Palo Alto CEF logs being ingested for years) has rendered many detections useless. Pipelines are the only component incentivized to fix this "data quality gap."
Furthermore, by applying modern, declarative management principles ("cattle, not pets") to pipelines, organizations can finally automate the difficult feedback loop required to make an "output-driven SIEM" a practical reality, rather than an academic exercise.