Now, I swear I was thinking of writing exactly the paper like this for a long time, but never found time to do it. I am soooo happy somebody else did it!
So, enjoy "Detecting Attacks on Web Applications from Log Files" in SANS Reading Room: logs vs OWASP Top 10 web attacks - the battle of the century - who will win (bet on logs! :-))?
One thing I miss in the paper is that all suggested approaches are rule-based, not anomaly- or profiling-based. Regexes suck! :-)