We all respect Bruce Schneier’s opinion (if you don’t be careful) and I found very interesting his take on log analysis:
Whenever someone attacks you, they leave footprints… All of these products have audit logs and they produce audit messages (Millions of messages a day). Most of them are a complete waste of time, like printer out of toner. So what?
But some of them are very important. In those audit logs are footprint of attacks. If you can monitor those on real time you can watch the attacker as he is attacking. If you can understand what is going on fast enough, you can kick him out before he does more damage…
You can watch it here.