¨Activate logging on your critical systems
¨Set proper permissions on the log files, utmp, wtmp, lastlog, and users’ shell history files
¨Setup a a separate logging server
–Add line “syslog
514/udp” to /etc/services on logging server
–Modify /etc/syslog.conf on critical server to redirect desired message types to logging server
–Hostname and IP address of logging server should be added to
/etc/hosts on critical server to thwart DNS attack
–In Windows NT/2000, replace EventLog service with an NT-compatible version of syslog to centralize logging