On Thu, Dec 17, 2009 at 4:41 PM, Ryan Malayter <mala...@gmail.com> wrote:
On Thursday, December 17, 2009, merlin corey <merl...@dc949.org> wrote:
Many log analyzers work fine with multiple files from multiple
sources, at least I know analog does. Failing that, you could write a
script to aggregate the logs...
I think a more important use case for syslog is enabling
tamper-resistant logs to another system. Syslog over IPSec to an
unrelated system is a lot more confidence inspiring to security folks
than a local text file that can be modified after a breach.
If you want to wear that security blanket, go ahead.
If you are worried about the integrity of your logfiles, you should
implement some kind of integrity checking on every important point.
This means that even if you do push things over your favorite secure
protocol to another system you'll want to do some kind of integrity
checking there because someone could break in and tamper with the data
on the "secure" system.
Security folks know that everything breaks, so they plan for and
What's the plan for when the syslog server goes down? No logs at all then?