In the case of an attack on a database server, which action best preserves logs while stopping the attack?

Pulling the server network cable is an effective action to take in the event of an attack on a database server because it immediately stops external communication with the server. This action prevents the attacker from continuing to execute malicious commands or accessing sensitive data during the incident.

By disconnecting the network cable, the server is isolated from further attacks and the potential for data exfiltration is greatly reduced. Additionally, this method allows local logging to continue, preserving crucial information about the attack that can be invaluable for forensic analysis later on. Preserving logs is critical for understanding the attack vector, the extent of the breach, and developing strategies to mitigate future risks.

Other actions, while they may seem beneficial, either do not protect logs effectively or may even compound the situation. For example, shutting down the server would prevent any further access but could also result in the loss of any live logs that had not been written to disk. Backing up system logs is helpful but does not stop an ongoing attack. Initiating a password reset could potentially disrupt access and control, but does not directly address the immediate threat to the system itself.