Yep use syslog server or similar in conjuction with this, which basically gives you something like immutability since the data is on a remote server with hopefully different security controls. You really don't want to be trying to sort an attack out after the fact on attacker-controlled machine. They could of course turn off network links or syslog eventually, but you'd at least have the early stages of the attack and or perhaps be able to detect it before they actually get full access.