ISSA has an interesting article (PDF, members only) in this month's issue. It is titled Computer Forensics Foils Financial Data Theft and it describes how the absence of a specific log file turned investigators onto the trail of a thief.

SIM products generally do a more-or-less acceptable job on collecting log data, extracting useful information from it, and doing some basic analysis. While it does not appear that a SIM was used in this particular example, the article shows how important it is to have a baseline of expected behaviour. The absence of logging that should be there is generally an indication that something is awry. I wonder how many of the commercial SIM's out there have provisions for this sort of detection.