Is my understanding correct ?

Seems mostly correct. Typically the logs would be shipped to a destination where you can do analysis over time (ELK/Splunk/Panther etc.)

Got it