Thanks for taking the time to review the document. Originally I wrote this to address a large series of calls from clients that were dealing with in many cases hundreds, yes hundreds, of internal applications. 99.99% of the time the log output for these internal applications was limited to debug information for the developers, if anything all. The majority of these customers were also undertaking a SIEM or log management initiative and struggling to configure the SIEMs/log managers to collect data from these customer defined data sources. At the same time I was doing some research on web services security and was running into a similar issue – hundreds of internally developd applications (primarily web-based in this area) with organizations looking to improve the security, most of which had a centralized method for log management. At the time there was nothing readily available that wasn’t tainted by a vendor perspective that I could provide these folks as a foundation to implement a standard log output for internally developed applications. I wasn’t looking to boil the ocean, just get an organization to implement a policy that all internally developed applications would generate security oriented log output that could be easily consumed by a internally developed, or commercial log management system or SIEM. I also worked closely with the IAM/user provisioning analysts who were taking similar calls from their constituents.

Anyway I think your feedback is valid, although perhaps a bit nitpicky