Last Call Review of draft-ietf-intarea-server-logging-recommendations-
I reviewed this document (draft-ietf-intarea-server-logging-recommendations-03) as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
The document looks pretty good from a security standpoint, but I would recommend adding a few other items to be considered out-of-scope or additional security considerations would be necessary. Since the document already mentions that record retention is out-of-scope, I think it would be useful to add that server security and transport security is important for the protection of logs for Internet facing systems. After stating that it is an important consideration, then state something to the effect of the service provider must consider the risks, including the data and services on the server to determine the appropriate measures.
The protection of logs is critical in incident investigations. If logs are tampered with, evidence could be destroyed.
I did see a few grammar nits as well. The Gen-Art review should cover that. If you want me to take a look at it after these adjustments have been made, I would be happy to assist.