Hypervisor (and upstream management like vCenter) log storage is required by our compliance auditors. Managed SIEM is ingesting our logs under 'Syslog-Generic' which accomplishes the "keep these for later cause you have to and just-in-case". I have to believe that, much like firewall log data, parsing out the data to fields usable in ES|QL will be a benefit for threat hunting / alerting and for retrospective investigations.