You explained it well. If the logs on a host are deleted, or corrupted, you still have the log host to check. Some admins even like to write to local files other than /var/log/messages, since that is what root kits like to go after.
It is very easy to have all hosts log locally as well as to a central log host (or hosts). Here is the best site I have found for configuring syslog-ng: http://campin.net/ - scottm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Oliver Sent: Monday, August 14, 2006 9:47 AM To: Main Discussion List for KPLUG Subject: Re: Why is a remote duplicate syslog-ng log server useful? On Sun, Aug 13, 2006 at 04:06:28PM -0700, [EMAIL PROTECTED] wrote: > I've been procrastinating doing a remote syslog-ng log server > for a while. > > Now I'm wondering if it is worth it. > > It seems the main idea is you can see logs of a break in > AFTER you've been hacked. (Yay! Let's put then in jail!) > > That sounds cool but prosecution of hackers is unlikely > and also doesn't undo fact you've been hacked. > > So *how* exactly will a remote duplicate syslog-ng > log server make you more safe and secure? When a cracker breaks in, the first thing they do is erase log entries that show how they got in. That information is invaluable to you... how else are you going to ensure that your fresh replacement system doesn't have the same vulnerability? Also, the logs can show other stuff that they're trying. All in all, it's better to have the logs and not need them than to need them and not have them ;-) -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
