You know, we're really hoping to create the same kind of engagement, where folks on Thwack can learn from each other with a little bit more real world examples (just talked to another frequent Thwack user who had the same wish for more participation here). I'm sure I can chime in with some ways to solve problems with LEM, and customers of LEM have been solving problems with LEM that others can benefit from - either via content, or theoretical discussion. If it was a problem du jour type thing, we could probably seed it with something new we discovered this week, like "hey, this week we heard the Target breach was because someone had infiltrated their POS network and was copying data off - how would you have detected this?" And maybe we'd get some rule examples or source data out of that, or just spirited discussion about why that really sucks and how hard it would be to detect.
Part of the uphill battle historically in the security world tends to be confidentiality, where people don't really want to talk about how they have solved problems, though they might be interested in talking about how they WOULD solve a problem.
Regarding moving from log management to SIEM, we see this hump in customer implementations too. A lot of people approach the problem very historically/forensically, but when you make that leap to proactive/real-time monitoring, you feel like it's hard to go back - at least for the 80% of problems you're solving on a daily basis. You don't have a magic 8 ball so you can't predict everything to get alerted on, which is where search/historical analysis are pretty useful. One of the reasons we chose to name the product Log & Event Manager was to try to soften the message of SIEM as an achievable goal for IT in general, not just a SIEM product, even if that's really what the featureset dictates.
More food for thought.