Logs and blogs
For boring complicated reasons, my server doesn't do MySQL correctly. At least, for me. So I wrote all my own blog software from scratch using a flat file system. It is nowhere near as sexy as some of the pre-packaged stuff, but it is funtional and it has - as far as I know - no gaping vulnerabilities. It rejects all input that is unrecognised, and given I have access to the server, there are no back doors or admin holes (what's the point when I can just as easily fire up WinSCP and edit stuff directly?).
You'd be disappointed at how much crap gets logged. I've put in fairly broad spectrum blocking to NOT log known spiders and search engines, and also to return slightly different content (this may be against the Ts&Cs of some engines, however there is a very good reason that if you enter WITHOUT giving a date, the most recent entry will be displayed, I do not want this archived as it changes all the time! it provides a message to this effect, and all the dated links work as normal so it isn't really SEO nonsense [read the penultimate paragraph for why I don't care]). I routinely see attempts to access files that are not there, phpMyAdmin, and the like, as well as a number of attempts to poke .asp (that's IIS, right?) files.
My next challenge, I think, is to code up a small flat-file database and start denying access to any IP address that pulls more than ten articles in a minute. That's less than one every ten seconds, so most likely to be a badly behaved spider. Some, mentioning no names, attempt to pull ten in as many seconds. I'm inclined to start 404ing those...
...ahhhh, somedays I think life would be easier if I simply periodically considered my site management to be complete once I've just erased the logfiles. ;-)