Consider that network and application ﬁrewalls, network and host Intrusion Detection/Preven-
tion (IDS/IPS), access controls, sniffers, and Uniﬁed Threat Management systems (UTM)—all log
security events that must be monitored. Every switch, router, load balancer, operating system,
server, badge reader, custom or legacy application, and many other IT systems across the enter-
prise, produce logs of security events, along with every new system to follow (such as virtual-
ization). Most have their own log expression formats.