This interesting PCI interview has a few bits on logging to pay attention to. The question was "What are the best practices for determining what should be logged, how, and for how long? Would it be appropriate to save logs in a centralized repository and then back it up on a media? Should it be encrypted?"
The interesting parts of the answer are (full answer here):
- "Aside from legal requirements, companies must consider how far back an investigation might run and whether the logs will continue to have value after a time." This means that "PCI = 1 year retention" might not even be the minimum needed log retention.
- "As for using a central repository, a common standard is to move log files offline as quickly as practical." They are somewhat confused here, since they use "offline" to mean "off the production system"
- " Encrypting logs might also help repel tampering, but a more important control is to hash your log files. " Everybody who is somebody in log management space does it, of course. If you get your log tool from some 'monkey vendor', it would be prudent to check this somehow...