[TriLUG] To syslog or not syslog
Aaron S. Joyner
aaron at joyner.ws
Sat Jan 1 12:30:41 EST 2005
Steve Litt wrote:
>What else happened around that time?
>What events preceded the symptom?
>What events followed the symptom?
>What is the exact description of the symptom?
>What is common about each occurrence of the symptom?
>
>It would seem to me that this kind of exploration would be easiest with a
>central log. Of course, there would be a lot of extraneous (to the symptom)
>information in a central log, but that's what grep is for.
>
Just another tip about central logging - don't forget that you can log
to two different files. Local files as well as a remote log host. This
has more than one advantage - specifically when doing troubleshooting
it's really nice to have the logs on the local host, with out extraneous
information from other hosts in the file, as Steve alludes to. Another
ancillary, hopefully unnecessary, advantage is that in the event of a
system compromise, if there's nothing current in /var/log it's going to
set off big red flags to even the lowliest of script kiddies. On the
other hand, if there's something in there that looks like the logs, and
looks relatively current, then it's likely they won't dig into
/etc/syslog.conf and notice that their every action is being sent
off-site, and deleting those local logs isn't going to really do them
any good in covering their tracks.
Aaron S. Joyner
More information about the TriLUG
mailing list