Question about logging

[TJ O'Grady <tjogrady () flyingwithouta net>]

Hello,

I am just getting my feet wet on some of the concepts in honeypots and 
intrusion detection. I was wondering if someone can point me in the 
direction of additional information on setting up logging. I am not 
understanding how a logging server can be available to copy logs to 
(via syslogd or some third party Windows tool) and yet not be 
vulnerable once the honeypot is compromised.

one solution I have come across involves disabling every service on a 
box except syslogd, except this still seems like it would be 
vulnerable, especially if the intruder was just trying to flood the 
log. And I'm not an SME on firewalls, so perhaps I am missing something.

Anyway, while I wouldn't expect an entire explanation in an email for 
such a broad subject, if anyone has thoughts on good sources I would 
appreciate it. I am not opposed to amazon.com links, I can get most 
texts at the local library with a wait.

Thanks,
TJ O'Grady