I wasn't sure if this should go in the *Nix or Forensics forum, but since its Linux specific I'll put it in the *Nix forum.

While doing research on auditing and logging for an article I just posted I came across a paper on the Sans site called Linux Security Auditing.

I think it provides a great overview of security auditing. It talks about planning issues such as the size of the logs, archiving policy, etc. It also has explanations for the use of various tools such as Nessus, Tripwire, Nmap and more.

At the end of the article there are links to a variety of resources such as the aforementioned tools (and more), other articles on the subject (of course, all of the links I tried were broken), and books on security.