linux

What is the best way to track attacks on Linux servers centrally?

Hello. There are about 40 Ubuntu servers hosting projects with varying load (from 10 to 1000 requests per second). All servers are in the cloud, there is no physical access to them. From protection and monitoring, the necessary minimum is configured on all servers (ufw, fail2ban, ssh by keys, servers are combined into a VPN, only TCP 80 \ 443 is open outside, collection of system and product logs in an ELK cluster, the need to install patches and updates is regularly checked) . I am looking for a software that will somehow centralize all this, i.e. monitor all incoming traffic for port scanning, DDoS attack attempts, ssh connection errors with the wrong key, scanning HTTPS traffic for vulnerabilities (bot requests to known admin scripts, etc.), as well as scanning all Linux systems for known vulnerabilities. Is there such a solution, OpenSource or some commercial products?
In theory, I know that there are IPS \ IDS systems (the same Snort, Surricata), but as I understand it, they are more suitable for a physical network, when you can let traffic through them (or mirror them), will they be suitable for my task? Maybe someone faced a similar task and found a convenient tool or some kind of technology stack for themselves? =)