Here is my $0.02. I agree with the comments about "it's better to log too much then too little." With that being said, I usually wind up logging everything to a remote machine and dealing with the placement/management/auditing of logs in a central place (seems to make my life easier). If you want to log to a certain directory on the remote host this is done via the remote machines syslogd.conf file. A quick note from expierence on the logging a lot costs you litte, the computer science dept at TAMU does a network security class each year. A sandbox is setup, and there are number of black teams (bad guys) vs. a gold team (good guys providing network services on about 8 boxes). Last time I logged a semesters worth of port scanning (via iptables) as well as other information from syslog to a remote machine. I mangaged to get about 400MB of logs in 3 months. *moral* logging is cheap...do it you just have to be careful about attacks against the remote logging machine...but thats why you back it up :) -mike > I was wondering what kind of information people used to log on a remote > syslog server. > > I mean, for every Linux machine I have, I use to log those facilities and > priorities: > > authpriv.* @remote_machine > kern.info @remote_machine > syslog.info @remote_machine > *.emerg @remote_machine > > If there is too much information, I use higher priority level then .info for > kern and syslog facilities. > > Is that a good practice or am I logging garbage ? > > Another point is if someone know if I can log in a certain directory in a > remote host. Seens that I canīt. Is that possible ? > > Thanks in advance > > Ricardo Pires > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > -- ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 08:07:00 PST