Self-righteous security gurus say that on top of everything
else we sysadmins do, we're supposed to watch our logs for weirdness...
...but what constitudes "weirdness"? Freakin' everything
in Unix is weird!
Automated log-watchers can take some of the drudgery of log-monitoring...
...but how do I know what to tell such apps to watch for,
if I don't know what to watch for myself?