On a similar environment to the Toolserver that I've used in the past, I've had to log the start and end times of any non-trivial external vulnerability testing (i.e. running Netsparker against production servers). I'm guessing these were used to redact portions of the logs prior to security audits.

Anything we should be doing here to make life easy for the admins?

TB