In the (hopefully very unlikely) event of a breach, we need to be able to identify what happened when, what was done and by whom, to reconstruct the events that occurred. Logs are critical in that function, and requirement 10.1 mandates audit trails (another term for logs) to link all access to system components to each individual user (traceability), which means that all relevant events must be recorded in an automated fashion. Logs must cover all individual user accesses to cardholder data and any changes that may affect the security of the environment, obviously including all administrative actions and must include suffienct level of detail.
Audit trails (logs) should be secured so they cannot be altered. This should include providing separation of duties, often through monitoring, centralized logging and incident management functions completely split from system administration functions. Logs must be reviewed (this is the monitoring function) to identify anomalies or suspicious activity and the use of tools is not only permitted, but encouraged. Any anomaly or suspicious activity detected must be adequately investigated, potentially instigating the incident management process.
So that different systems logs can be easily compared during monitoring, all systems need to have their clocks synchronized from the same internal sources, that are synchronized from industry-accepted time sources.