I would use rsyslog and journald. Forward them to ELK stack and use it as a SIEM. There are many people people familiar with the ELK stack, and it's easy to scale it.
> sudo cat /etc/rsyslog.d/auth-errors.conf auth.alert,authpriv.alert /var/log/auth-errors
cat /etc/logrotate.d/httpd
/var/log/httpd/*log { rotate 10 compress missingok sharedscripts postrotate /usr/bin/systemctl reload httpd.service 2>/dev/null || true endscript }
'* */6 * * * logrotate /etc/logrotate.d/httpd
in /etc/bashrc:
export PROMPT_COMMAND='RETRN_VAL=$?ogger -p local6.debug "$(oami) [$$]$(story 1 | sed "s/^[ ]*[0-9]\+[ ]*//" )"'
in /etc/rsyslog.d/bash.conf local6.* /var/log/commands.log
Taken from https://unix.stackexchange.com/questions/664581/how-do-i-log-all-commands-executed-by-all-users