Tripwire's also huge, which is why I use L5. Checkpointing would be fine as long as your checkpoint mechanism isn't compromised either! If someone has gotten root on the log host, there ain't a lot you can do if you aren't right on top of the guy. _H*