I really like to work with logs when the subject is security monitoring. In fact, all my Master Thesis is based on log analysis. However, Richard Bejtlich is right about some weaknesses on doing it only based on logs. He is quite right on saying that the absence of logs does not confirm integrity. He proposes the use of network sensors and other tools and procedures (in what he normally calls Network Security Monitoring, NSM) to complement the security monitoring process. It's a very good concept.