System logging should not remain a local activity. If you find your system has been compromised often the first thing in the attackers mind is to stop it from logging what they have done, what they are doing, or are about to do. If you’re going to be security minded you must send your logs to another system and monitor the activity there.
This is very easy to do with rsyslog. I’ve built this in an Ansible task within the Lynis Security Auditing. All you need to do is add a simple file in
/etc/rsyslog.d and restart rsyslog. Sure it won’t stop you getting hacked, but you’ll at least have a record of what happened up until the point the attacker disables logging.