From owner-freebsd-isp@FreeBSD.ORG Tue Aug 23 05:54:05 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0836816A41F for ; Tue, 23 Aug 2005 05:54:05 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from smtp.sd73.bc.ca (smtp.sd73.bc.ca [142.24.13.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB6743D53 for ; Tue, 23 Aug 2005 05:54:04 +0000 (GMT) (envelope-from fcash@ocis.net) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id D915D8A006E; Mon, 22 Aug 2005 22:53:49 -0700 (PDT) Received: from smtp.sd73.bc.ca ([127.0.0.1]) by localhost (mailtest.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 54622-03-15; Mon, 22 Aug 2005 22:53:45 -0700 (PDT) Received: from imap.sd73.bc.ca (smtp.sd73.bc.ca [10.10.10.15]) by smtp.sd73.bc.ca (Postfix) with ESMTP id D1B078A0024; Mon, 22 Aug 2005 22:53:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by localhost.sd73.bc.ca (Postfix) with ESMTP id 7B15C18CC4C; Mon, 22 Aug 2005 22:53:28 -0700 (PDT) Received: from imap.sd73.bc.ca ([127.0.0.1]) by localhost (mailtest.sd73.bc.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 98235-23; Mon, 22 Aug 2005 22:53:26 -0700 (PDT) Received: by imap.sd73.bc.ca (Postfix, from userid 80) id D261218CC3F; Mon, 22 Aug 2005 22:53:26 -0700 (PDT) Received: from 24.71.128.63 (SquirrelMail authenticated user fcash) by imap.sd73.bc.ca with HTTP; Mon, 22 Aug 2005 22:53:26 -0700 (PDT) Message-ID: <63196.24.71.128.63.1124776406.squirrel@imap.sd73.bc.ca> In-Reply-To: References: Date: Mon, 22 Aug 2005 22:53:26 -0700 (PDT) From: "Freddie Cash" To: "Matt Ruzicka" User-Agent: SquirrelMail/1.5.1 [CVS] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new using ClamAV at sd73.bc.ca X-Virus-Scanned: by amavisd-new using ClamAV at sd73.bc.ca Cc: freebsd-isp@freebsd.org Subject: Re: Creating a Log Retention Policy X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fcash@ocis.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 05:54:05 -0000 > Last year I attended a session at USENIX on system logging in which > the instructor (Marcus Ranum) discussed the importance of having a > clearly defined (and enforced) log retention policy. From what I > remember of this portion of the lecture (the slides and my notes are > lacking in details) he stressed that this policy would help > significantly in the case of litigation, but it obviously would also > give a solid policy for defining expectations and maintaining > consistency between servers. > A year later (*cough, cough*) I've started to compile ideas for this > policy, but am having a bit of trouble finding good guidelines to > follow. > I was wondering if others currently had a clearly defined log > retention policy for their organization and, if so, how they went > about creating it? We use newsyslog(8) to rotate the logs monthly, and store 13 backups, all neatly bzip'd. And we copy the backups to a pair of external USB drives where one is always off-site. Works great for our mail gateway, firewalls, and web servers. There's nothing officially written up anywhere, though. -- Freddie Cash, CCNT CCLP Helpdesk / Network Support Tech. School District 73 (250) 377-HELP [377-4357] fcash@sd73.bc.ca helpdesk@sd73.bc.ca