As Bruce Schnier notes, NIST have produced a guide to log files - those records of what has happened on computer systems that are invaluable for helping to track down all sorts of problems, and (far more rarely but more importantly) for detecting and proving illegal activity.
The standard in the Linux world, and on similar operating systems including Apple’s OS X, is a program called “syslogd”. This sits in the background waiting for programs to pass it messages about what they are doing, and dutifully writes these into a series of files stored in /var/log. Note that it is more akin to a police filing clerk than a policeman on the beat: it is not itself watching what the system is doing, but simply writing down a central record of the things other programs have suggested it keep a record.
A simple enough task you may say, and on a single system it does a good enough job. But it is also used to collect records from machines over a network, so that an institution can keep a central record of its computer activities in one place. All very useful and vital. Except take a look at what NIST has to say (p. 3-6) about the usefulness of syslogd in this role:
Syslog was developed at a time when the security of logs was not a major consideration. Accordingly, syslog does not specify the use of basic security controls that would preserve the confidentiality, integrity, and availability of logs. For example, syslog uses the connectionless, unreliable User Datagram Protocol (UDP) to transfer logs between hosts. UDP provides no assurance that log entries are received successfully or in the correct sequence. Also, it does not perform any access control, so any host can send messages to a log server.
Actually, the problems go even deeper than that, as vendors of rival systems or improved versions enjoy pointing out.
It’s core function, recording in a reasonably organised and reliable way messages from applications on a single machine, it has performed admirably. But like a classic car on a motorway, on the information super-highway it stands out as a tool built for other times.