As we explained from the start, ULS events are already aggregated, but only for the Mac that generated them.
For any situation other than a single user working in a silo, log aggregation is a requirement, if you wish to have any benefit from your SIEM solution.
Because NXLog can enrich log events, like adding a
Hostname field, which we touched on in Event record enrichment, aggregation can now be used to provide insight into which users, teams, business units, regions, are experiencing which types of threats, how often, and using which processes.
Once these enriched events are ingested by your SIEM, it is possible to query for specific types of events to see which workstations might have been targeted by a known threat.
If your organization is relatively small and you do not have any need to archive logs for compliance reasons, you might be best served by having each Mac send its logs directly to the SIEM.
For maintaining an archive of collected logs, or for larger organizations that might need to implement load balancing or failover, clustered relay servers would probably be recommended.