Log storage. Once collected, logs must be stored efficiently and effectively. Organizations that implement homegrown log infrastructures often end up with silos of distributed log servers that are very hard to manage. Given long-term log retention requirements from PCI and other mandates, storage can quickly exceed 10's or even 100's of terabytes. So look for solutions that can provide efficient storage through compression and through automation of retention policies. Ideally, the solution should also allow you to leverage external storage-area networks.

Log analysis. A basic problem with log analysis is that each log source relies on a different and often cryptic format, which is very difficult to analyze. Unless these formats are merged, the burden of familiarity with the hundreds of different formats or log "languages" falls on the user. Commercial solutions should convert the various native different formats into a unified format to simplify analysis.

Another significant challenge is that logs generally lack the asset and user context needed to enable effective analysis. For example, many logs contain IP addresses but not the host name, the role of the host, whether it stores cardholder data, where it's located, or what regulations it's subject to.

Log analysis is even harder when it comes to users. In fact, user information is often entirely missing. For example, router logs have IP addresses not user names. So you would have to translate the available IP address to a host name and in turn to the owner. You would also have to know their roles and privileges and be aware of the different identities of each user to create a composite picture of user activity.

SIEM solutions can overcome these challenges through an asset and user model that is dynamically referenced. However the solution also need to be session aware to successfully attribute log activity to users and must come with identity adapters that enable pulling in user roles and privileges from IDM systems.