logging questions

[nobody () shinobi alias net (Anonymous)]

We are considering the following system for centralizing, archiving and
authenticating firewall log files.  Across the corporation we have m
firewalls and 2 loghosts.  Each loghost is in a different location and sits
behind a packet filtering firewall.  Each firewall would log to its local
disk as well as to both log hosts.  Logs will be encrypted across the wire
but not on the local disk.

At the end of each logging period (e.g. weekly) logs are collected from all
3 sources (loghost1, loghost2, firewall(i) local disk) compared to ensure
no differences and written to an appropriate storage device (e.g. writeable
CD-ROM).

Assuming that all of the firewalls are appropriately configured and that
the loghosts are as trusted as anything on our network, Can we be
reasonably sure that the logs have not been altered?

We realize that we can make no claims about the logs from a given firewall
after it is compromised.  But we would like to ensure that the logs from
BEFORE the firewall was compromised are accurate.

Is this a sound approach? anything we are overlooking or should take into
account?