On Wed, 15 Aug 2018 at 13:50, Evan Rempel <erempel@uvic.ca> wrote:
In my opinion that is exactly why you log to syslog. The syslog infrastructure can also forward in real time the log events to a remote log collector that the DBAs don't even have access to. This method provides for a secure and prestine log stream for archiving and audit review processes.
+1 wrt syslog and remote logging. In any environment where security and access monitoring is important should always have logs copied to a remote, secure server with access limited to individuals who are not also responsible for administering key systems, such as the database server.
When compromising a system, it is normal to attempt to cover up your activity by modifying or deleting log files. Having these copied to a separate system means the threat actor has to now compromise multiple servers.
Another useful setup is the 'ELK' stack, which uses logstash and eleastic search to provide a powerful log storage and querying infrastructure (which can also unify logs from different sources). This can make auditing and monitoring much more powerful.