On Wed, 21 Jan 2009, RB wrote: > On Wed, Jan 21, 2009 at 12:55, <[email protected]> wrote: >> this is the most paranoid/conservative view, and by this definition there >> are basicly no logs in existance that meet the forensics requirements > > Rather than set an unattainable standard, my intent was to communicate > the conservative approach forensics would rather take. Edge cases and > mitigating controls are acceptable as long as they are well-documented > - that's basic security practice. I would rather see a solution that > has 100 well-documented lossy edge cases than one that claims to be > lossless with no proofs to back it.
the problem is that so many forensics people list the perfect situation and tell people that anything less won't stand up in court. like everything else, it's a reliability/performance/cost trade-off but we really aren't answering the initial question here (or rather we are demonstrating that there isn't a clear answer to the question) >> franklk, if you really need write-only media, the best thing to do (volume >> permitting) is to dump to a printer. > > You may want to recalculate; even 6-point font on large (14.875x11.5") > tractor-feed paper only fits ~80MB per 3500-sheet box. Or, put > another way, 2 512-byte events per second will burn through a $70 case > per day. Or 6.5 reams of US Letter per day. Extremely limited > volume. that's why I said volume permitting (and for your most critical logs the volume is probably fairly low) David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
