Lately I've had cause to look into methods for doing a deeper analysis of NetFlow and Syslog data. While reports and graphs are good, sometimes you need to do a more exhaustive search than what is available via traditional methods. For instance, what if you suspected you were being attacked from within via some obscure protocol. Now assume that you need to search multiple databases, across several months of time. Being able to conduct a search for both syslog messages and netflow data associated with that port and/or any suspected hosts would be really helpful.
There are a couple of products out there that sort of provide "Google like" searches and indexing of this type of data. Lately I've been thinking about this as an add-on or feature of Orion.
If you've got an opinion on this, I'd love to hear it...