Using a Separate Logging Server
One of the most effective techniques for minimizing an attacker's capability to alter logs involves setting up a separate logging server. Your critical systems, such as your Internet-accessible DNS server, mail server, Web servers, and so on, should be configured to redirect their logs to a separate machine on your demilitarized zone (DMZ). Your critical internal systems should send their logs to a group of separate logging systems on the internal network. Not only does this technique help to centralize logs for better analysis, but it also significantly limits an attacker's ability to monkey with the logs. If attackers take over root on a UNIX system or admin on an NT box, they will not be able to alter the logs to cover their tracks because the logs are elsewhere. The attacker will only be able to modify the logs by mounting a successful attack against the logging server. Therefore, by using the separate logging machine, we've just raised the bar for attackers. Of course, you must secure the logging server. Make sure you apply system security patches, and close all unused ports on the logging server machine.
While you won't be able to capture shell histories, utmp, wtmp, and lastlog from UNIX systems on a separate server, you can still redirect all of the pure logs to a separate server. To configure a UNIX system to use a separate logging server, you must configure syslogd so that it knows where to direct the logs. First, make sure there is a line in your /etc/services file associating syslog with its standard port, UDP port 514:
Next, include an entry in the syslog.conf file that tells syslog to redirect particular message types to a remote server. For kernel-type messages, the following line should be placed in syslog.conf:
Just to be sure that an attacker cannot disable logging by attacking DNS, the hostname listed above should be included in /etc/hosts so that it is resolved locally. This local resolution of the log server name shouldn't present a major management headache because your centralized log server will not be changing its IP address very often.
In Windows NT, the EventLog service can be replaced by an NT-compatible version of syslog, with capabilities for centralizing log access. Several syslog for NT tools are available, including the commercial tool SL4N and the freeware Kiwi syslog for NT. By using these tools, event logs can be sent to separate syslog servers from an NT system.