In some mail from Tom Perrine, sie said: [...] > OK, so we break it down into: > > * events to be logged (what is currently logged? What are we > missing?) [...] I think that's jumping the gun, unless the question of what do you want to do with log information has already been answered. What do we need log information for? - detect hack attempts ? - detect hardware failures (maybe pre-empt hardware failure) ? - capacity planning ? - ... and so on. If that list is already drawn up, sorry for this email but I think having a list like that lets us get a better list of what we want to see logged. e.g. to list the log information for "detect hack attempts", we need to enumerate what might be an indication of a hack attempt. e.g. - detect hack attempts - record all authentication failures - record all inbound connections - record all successful logins - record all core dumps - ... This might even be a good way to classify messages? Darren _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 09:13:39 PDT