byrona Yes, a plan is absolutely necessary. An awesome plan requires close collaborations between information security group and other IT groups in an organization, but a lot of times there are only one-way impractical (I'm not saying unreasonable) requests from the information security group (see Charles Galler post above, for example). Fortunately most of the times these groups come up a balanced point after going back and forth.
Here we assume the Log & Event Management system is able to receive all kinds of volumes of log data. Even Etsy folks had to add sample data option.