An intruder will likely attempt to hide or delete evidence of their presence. First on their list will be to delete log messages which show the means by which they obtained access (e.g., a buffer overrun visible in daemon.log).
ext2/3 attributes (chattr, lsattr); LIDS; SELinux...
Syslog log daemons are able to copy messages to (and accept messages from) remote daemons — usually on UPD port 514. So it is easy to keep a secure copy of logs away from an intruder.
The man pages for syslog or syslogd describe how to set up remote logging. In short, ensure the daemon is started with the relevant switches: on Linux
/sbin/syslogd -r
enables reception and logging of events from the network; on Solaris
no special switches are apparently required. To ensure messages are sent
to a remote host, entries such as those below are required in
/etc/syslog.conf:
auth.notice @myhost.umist.ac.uk
*.info @myhost.umist.ac.uk
| ...previous | up (conts) | next... |