Many caveats with SIEMs. Best to first define the goal of it as for log storage and look back and basic reporting or actually to proactive security information and asset/vulnerability management.
Be careful of the hype on SIEMs being able to effectively automatically (or even manually) correlate esp. if Windows or other operating systems with high volume and non-specific events will be the bulk of the collections. If getting 20,000 login failure events/min the SIEM is likely not going to be able to discern which ones are hacking vs. a broken RDP/drive share connection. Host tweaking and baselining will determine correlation success.
Try to anticipate events per/second and storage requirements beforehand with general syslog or other tools, assume scope creep and needing many collection points. Performance at actual loads to retrieve ad hoc information needs to be demonstrated by the vendor, best to see a live customer site. Usability and maintenance of Windows "appliance" platforms is another potential sore spot.
The ability of the product to effectively integrate with asset management and compliance reporting ie. letting someone know when a monitored device is no longer reporting may not be available or only provided in a limited way. Look for having intuitive and GUI accessible access to raw data, quick reporting and data extracts that doesn't require extensive command line and scripting Kung Fu.
Look for limitations in reporting such as not being able to do subtotals on report fields and use them to do something like a top 20 report etc or not being able to use custom device attributes that are used in inventory groupings. Be careful of static values being used in the product so that if a report email group membership is changed it is not necessary to fish for all reports related to it and manually change the email destinations in each report. Make sure GUI filters for device searches etc. accommodate sorting by IP so that random listings of hundreds of devices aren't seen in drop down selection boxes.
The ability to delegate the platform/storage maintenance from the application maintenance can be an issue esp. when RDP and CLI is needed to do things that aren't gui accessible. Look for good administrative delegations, report, query response times, logical device groupings and asset attribute usage and ability to manage scheduled/ad hoc reports and do things related to metadata like easily be able to tell you who gets which reports when, and how have the device counts etc that they report on changed over time or tabular reporting to be able to compare data over various time periods and drill down easily from GUI charts etc.
Assume that agents will be needed for Windows to reduce extremely repetitive and mostly useless messages from clogging up storage and bogging down retrieval time. Depending on the scope of the implementation a best of breed solution for specific platform log collections and event triage might be appropriate where they store the raw events are configured to send only alerts to a top level SIEM rather than attempt to do it all in one platform. Sending all raw events to the SIEM might be good for central archiving (and SIEM event count based licensing) but it is bad for performance and may limit what can be correlated. One fully qualified alert (who,what,when,where,why) from a system can be correlated to another system's event much easier than trying to get a SIEM to figure out which device specific events under which conditions constitute an alert event that needs to be correlated with some other system's event.