> I was wondering what kind of information people used to log on a remote > syslog server. Think of it like backups. If you never use your backups, (lucky you =) then you could say you've been wasting your time. But if you need those backups.... you'll be glad to have them. Same goes for logging info. I've encountered MANY systems where I wish they had say run netstat or ps once a minute andlogged the output to a file and kept it forever (would make trouble shooting problems a lot easier!), but almost no-one does that (heck, I don't even bother, although I myself get annoyed at myself every oncein a while for not doing it). > I mean, for every Linux machine I have, I use to log those facilities and > priorities: > > authpriv.* @remote_machine > kern.info @remote_machine > syslog.info @remote_machine > *.emerg @remote_machine If it was a mail server I'd also log mail.* for example. This might be considered "garbage" on most systems (but trouble shooting mail problems is easier with mail logs!). Ditto goes for cron.*, depending on what you do/how you do it, this may be garbage, or may turn out to be really useful. > If there is too much information, I use higher priority level then .info for > kern and syslog facilities. > > Is that a good practice or am I logging garbage ? With the cheap availability of bandwidth and diskspace I'd say logging to much won't cost you much, and logging to little can often incur cost (extra time fixing problems/etc.). It's kind oflike IDS, you need to tune it to weed out false positives/extraneous information (I do not want to see every ICMP admin prohibited message, but some other site may have that as a requirement). > Another point is if someone know if I can log in a certain directory in a > remote host. Seens that I can´t. Is that possible ? This is a syslog thing, you would point the local syslog on the log accepting host to dump to a seperate dir. I don't think syslog really does this though. Syslog-ng, other syslog replacements can however. > Thanks in advance > > Ricardo Pires Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 03:12:35 PST