In my understanding, admins need to access logs of the servers, workstations, services and applications they manage, either for administration or debugging purposes, never to logs generated by auditd from their own activities. Another admin or the SOC can. I am considering here corporate policy and the threat of an admin account stolen where I want to prevent an attacker to see or erase his traces, or malevolence by the admin himself.
Is it correct? If not, what is recommended? To extend a little more the question, how shall be managed access to centralized logs when forensic or legal access is required, local and monitored accounts?