I have Graylog in my infrastructure and quite like it. we have just routers, SWs, FWs, servers and clients.
What I actually am doing is just collecting the logs. I have also set some streams and alerts and have cool dashboards but this is not enough for me! I receive also alerts but I like to do more. For example log analysis, rootkit/malware detection or any malicious activity.
please share your experiences with me.