I'm developing some guidance for ISP surveillance for infrastructure attacks, and my increasing impression is that for other than the expert level, there may be some useful simplifications of the applicability of tools. Remember that I am speaking of surveillance here, not the detailed analysis in a sinkhole. Perhaps this could be the basis of some security architecture presentations/tutorials at NANOG.
Let me put up the following strawmen and invite people with flaming torches to go for them, with the caveat that these simplifications are for an introduction to the topic.
NetFlow is the key to analyzing traffic patterns outside the router,
looking for DDoS signatures when known, and for traffic anomalies that
may become DDoS.
SNMP is the key to analyzing the effect of exploits on network elements.
For example, NetFlow might tell you there is a flood directed at TCP
port 179, but your router may implement rate-limiting/policing such
that the control processor doesn't see this flood and processor
utilization stays within reasonable ranges.
Syslog and SNMP traps focus on physical events by people (e.g.,
reconfiguration), physical problems ranging from temperature alarms
to router and interface shutdown, and exploits against security
mechanisms. Some of this asynchronous information has undergo
root cause analysis: the interface you see go down may be perfectly
fine; the problem is in the medium or distant interface.