Consider that network and application firewalls, network and host Intrusion Detection/Preven- tion (IDS/IPS), access controls, sniffers, and Unified Threat Management systems (UTM)—all log security events that must be monitored. Every switch, router, load balancer, operating system, server, badge reader, custom or legacy application, and many other IT systems across the enter- prise, produce logs of security events, along with every new system to follow (such as virtual- ization). Most have their own log expression formats. Some systems, like legacy applications, don’t produce logs at all. .