Protecting Log Files with Write-Once Media
A more thorough way of protecting the logs on any type of system (Windows NT, UNIX, or other) is to store the logs on special media, such as a write-once CD-ROM. The attacker cannot alter the logs because they are protected by the physical medium itself. Unfortunately, some of these write-once media (such as CD-ROMs) have very low performance, when compared with today's speedy hard drives. Therefore, you may want to configure your logging to periodically flush the logs to the write-once media, such as once per day or when a 100MB threshold is reached.
When all six of these techniques are applied together (activating logging, setting minimal permissions, using a separate logging server, encrypting the log files, setting the logs to append only, and storing them on write-once media), you can have a good degree of confidence in the integrity of your log files.