Nearly every security and compliance standard requires network logging as part of the security program. A common practice is to log everything from network and security devices. However, logging everything can lead to an overwhelming amount of data that is difficult to process, analyze, and store. Many organizations use a combination of tools and policy to consolidate logs into security events, which can be both blessing and bane. The large amount of log data from disparate sources often creates an inordinate amount of off-target and false-positive alerts. Even with advanced correlation mechanisms to escalate the suspicious activity, it's easy to overwhelm operators with too many alerts. Alert overload often results in on-target events being ignored, baselined or even "squelched" to the point of ineffectiveness. Alert Hell is a real place, and this root cause problem plagues security operations in organizations of all sizes.