When I was a student in College, one of my tasks was to manage a shared Linux system that was used by students in a "how to get started with Linux" course. It was a learning opportunity, in which I found out the importance of maintaining log integrity.

I happened to notice a user doing some "poking around" that I considered unusual. After a little digging, I found out he was attempting to use our system as a platform for accessing other systems on campus in an unauthorized manner.

Within a few days of this discovery, I accomplished the following:

* Set up remote logging solution, so anything headed to the log files was intercepted and sent elsewhere

* On the remote system, created a web interface for the faculty and admins with basic search functions for the logs (by user, by activity, etc)

* Recompiled all the shell binaries on the system (Ksh, Csh, Bash, etc) with code to log all commands executed

* Set up alert system so if a flagged user logged in, I was paged

All students were reminded about not using the system for unauthorized activities, and it listed all those things, etc etc. At least one continued to attempt malicious activities, up to elevating permissions and removed entries from the local log files. Based on the evidence in the remote log files, he was kicked out.

This is why it is not just important to have a separate logging server, but it is also important to provide easy access to that data to the people that make the decisions.