SIEM system, what are the benefits?

Solely from the information in your question, narrowing down that list of 86 is not going to be easy - I had a quick flick through as I know a fair few of the top names. Some points:

• SIEM solutions should all be able to run log correlation type activities
• Most include device insertion logging and Tripwire type checks (or can incorpoprate Tripwire or any other SYSLOG logs)
• Most of them have reasonable user interfaces
• Most have scriptable command line interfaces

What you should do is list out the things you do want/need it to have and select on those items. If you can get it down to under ten you have a much better chance of being able to run comparison tests.

I personally use Splunk for this very thing. It has a robust search/correlation/dashboard functionality. Plus, it can run Python scripts natively so that you can generate your own data from custom sources.

For example, comparing a list of who is supposed to be working with the list of logged in users would be a trivial search.

Splunk is simply very powerful and helpful for me. It reduced 45 minutes of manual checks of various logs, reports, emails, etc down to an automatically generated email in pdf form.

Splunk has quite an exotic learning curve, with basic searches availabe in literally minutes, then it took me a day to understand how to build a complex search. Two more days to have a set of charts (timelines, breakdowns, gauges). I then realized that it makes more sense to create saved searches and work from thre (you can edit them more easily).

I would also suggest looking at the config files (transforms.conf in particular).