1 of 1 people found this helpful
The ESM (or any SIEM) operates by "aggregating" common events. Reoccurring events between the same source/destination are grouped together Logs are split into well known fields and inserted into the database accordingly. Here is something I wrote up if you're interested in additional detail: SIEM Event Aggregation.
It's also common place to have the raw logs sent to a log manager (ELM if it's McAfee) for full text search and to meet the requirement to "retain original, unmodified, non-repudiated logs for x amount of time" common in government, financial and organizations that handle PII.
The SIEM provides automated analysis of logs with the capability to easily drill down to disparate details with minimal effort. This is great for security folks trying to find the needle in the haystack but sometimes a network engineer troubleshooting is going to be looking for info not in the logs (show int) or need instant feedback so it's more appropriate for them just to log in to complete the task.
The SIEM is great for highlighting misconfigurations and errors that are logged so it is recommended to set up alarms for the network folks to kick off their workflow when something is detected also.