Log data integrity... I've used/seen the following tricks: - Block sign the logs at source, have an audit tool to verify the sigs -- combine with sequence number to detect missing blocks - To verify that a source hasn't dropped off, generate "markers" (in each originating point) and alert if missing marker - Log everything to two log hosts; log log-host access logs as well TaO http://pointyhair.com Patrick Debois wrote: > I'm looking for feedback how centralized log solutions handle data > integrity; If you would log directly to a central system, that log is > the only source. So you would miss something to compare against. > > -Would you rely on taking checksums of the logs and storing them on > another system? > -How do you protect yourself from the fact that the central logging is > compromised with a still growing logfile? > Would you consider signing each log line? Signing within a text file is > fairly easy, but what about content stored in a database? > > My customer is currently looking at Splunk. It seems a great way to go > through the logfiles, but I'm not sure that we can fullfill his > dataintegrity requirements with it. But then again it does not stand in > the way of another solution doing it probable. > > Patrick > > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Aug 22 2006 - 11:39:46 PDT