Just to throw in my two cents here, I can’t say enough good things about using Splunk to collect and report on logs. At my employer (a certain Fortune 50), I use Splunk in our group to collect the following:
- All syslog entries
- All network activity
The latter is done with standardized iptables rules I deployed which log every connection (successful or not) to any port on any of our machines. I can then go into Splunk and get an idea of what each machine is doing (helpful for non-security things) and see who is trying to connect to what services on each machine.
Just on this front, Splunk is absolutely *fantastic* for getting a deeper understanding of what your platform is doing. Their free version allows up to 500 Megabytes of logs per day, which is more than enough to get started. Splunk can be obtained from http://www.splunk.com/