Robert McDonald
If such a law exists its rather pointless unless for defending false claims. If you were to get hacked/unauthorised access and need to provide evidence surely the offender would have removed that from the logs, or the logs alltogether. Therefor puting you in a position of breaking the law?
Or have I missed the point on keeping logs entirely.
Don't keep the logs on the same box(es) you're monitoring. Otherwise, as you say, you can't trust them in the event of a compromise. There's a good paper by Schneier about how to make tamper-proof logs so you can detect unauthorised modifications, but it's easier to remote syslog to another server, one which doesn't do anything else. The truly paranoid will use a listen-only ethernet cable. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ Tel: +64 6 3569099 ext. 7402