We ship the logs off the system to a centralized logging platform. You want to do this for many reasons, but to start: Manually inspecting the logs on each host is a headache and if the box is compromised, the attacker can just delete the logs and you’ve lost all your data to use in forensics.