I have been tasked to harden our company linux servers. One of the problems that was outlined was the fact that logs are stored on the server which poses two problems:
- Difficult to aggregate and diagnose problems
- Not very secure, if a server is compromised then the logs could be removed or manipulated.
To address both problems the plan is to forward all logs generated by the production environment to a secure centralised logging server.
I am going to use OSSEC HIPS for intrusion detection. From what I have gathered OSSEC coagulates logs from its nodes thereby providing both centralisation of the logs and IDS monitoring; effectively hitting two birds with one stone.
What I would like to know is whether I should use additional tools to forward and store logs like rsyslog or whether that is overkill and OSSEC will be sufficient to retain all logs for X amount of time on the central log server.