Log aggregation collects logs from multiple sources (servers, network devices, applications) into a central repository for correlation, analysis, and long-term retention.
Syslog (UDP/TCP 514, TLS 6514) is the standard log transport. Without aggregation, logs stay on individual systems — deleted by attackers, siloed, uncorrelated. Centralized logs are tamper-evident and searchable.