Not much to say, just a quote will suffice (full here) : "A friend called me today to ask for some help. Turns out a contractor he let go came back in through a backup service account and wreaked havoc on the network. And to add to the headache, the contractor deleted the event logs. There is a SIEM (security incident and event management) solution installed, but my friend is not sure if he had enough logs getting pushed to it to give him enough evidence. And even if he does have the right logs pushed, he may not be able to use the logs he has since the SIEM product he has in place is very poor in the forensics category (it trashes...errr, normalizes logs to a high degree - no raw logs available). "
Another incident, another "OMG, where ARE my logs!!?" story, but with a new twist "screwed by SIEM" :-)