On Sun, Aug 13, 2006 at 04:06:28PM -0700, [EMAIL PROTECTED] wrote: > I've been procrastinating doing a remote syslog-ng log server > for a while. > > Now I'm wondering if it is worth it. > > It seems the main idea is you can see logs of a break in > AFTER you've been hacked. (Yay! Let's put then in jail!) > > That sounds cool but prosecution of hackers is unlikely > and also doesn't undo fact you've been hacked. > > So *how* exactly will a remote duplicate syslog-ng > log server make you more safe and secure?
When a cracker breaks in, the first thing they do is erase log entries that show how they got in. That information is invaluable to you... how else are you going to ensure that your fresh replacement system doesn't have the same vulnerability? Also, the logs can show other stuff that they're trying. All in all, it's better to have the logs and not need them than to need them and not have them ;-) -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
