Is centralized logging a good idea?

I would suggest you take a look at Splunk.

I currently have it in production, with 30+ network devices logging to it--It is really useful to have logs in one place, that I can write my own queries for, run canned reports, etc.


One BIG advantage of centralized logging is this:

  • If one of your machines is ever compromised, and the logs altered to hide that fact, you will still have an un-tampered copy on your central logging server.

Another is:

  • In my case I also have a dedicated monitor at my workstation running off of the central logging server that displays any logs of a priority "Warning" or higher in real time, so that I can deal with any problems immediately as they come up. (hopefully before the end-user notices :) ). This is difficult to do without a centralized server.

Take a look at eventsentry as well, not very expensive for few licenses, can setup good filters and alerting etc.