Advice needed: logserver layout, config, ...

Hi -

I do have a server running a couple of service jails with a lot of logfile production in each individual jail. Now, I would like to forward all logging messages to a syslogd(-ng) running at the jail's host (quasi a logserver scenario). The server is protected by a PF deny all strategy.

Let me start with my plan sofar:

1) Every syslogd at every jail is simply forwarding all logging messages to the host's syslogd (all IPs are from the RFC1918 pool)

2) *All* messages are logged into a *single* logfile (600).

3) Either use swatch, or if syslogd-ng will be running, its functionality to trigger and mail really important instances.

Ok, I would like to get advice, criticism, proposals on whether this is a good idea at all, or on how should my plan be realized, instead?

And, I'm interested in how you are dealing with logfiles from different servers.
I have the same type of configuration. 5 jails hosting reverse proxy, web, mysql, mail and syslog. I store all syslog in one jail but more I log Apache messages in this jail changing the error-log directive of Apache and the RP in two others files of course.