Groby: Frankly, if you are not distributing your Intrusion Detection assets then you are asking for trouble....... I run a combination of NIDS/HIDS that report to two different systems on two different computers that are hardened. My public servers, AD servers and my firewalls also dump their logs to one of those systems. Those logs are moved daily to two other locations on yet two other computers. Then, weekly, those logs are moved to CD and archived.

Why? Well.... an IDS is only tells you what _did_ happen and, as we all know, if it happened at 2am while we were snoozing then we may find corrupted logs by the time we get in to work. But if you have to search my system, (650 machines), to find out where all the copies are and crack those 2 primary log machines too then there is a good chance that I will still have a good copy when I get in...... Additionally, it is unlikely that you will footprint me, attack me successfully and get rid of all the initial 2 logs in the same 24 hour period, thus the chances are high that I still retain some evidence of your activity from prior days.

I could be more paranoid..... but I don't see myself as a high profile target or the logs would be moved hourly...... and then moved again......