Date: Mon, 22 Aug 2005 23:14:03 -0700 From: Doug Hardie <bc979@lafn.org> To: freebsd-isp@freebsd.org Subject: Re: Creating a Log Retention Policy Message-ID: <BCD6A69D-6E24-4D70-93B1-8F2001E7BFB2@lafn.org> In-Reply-To: <63196.24.71.128.63.1124776406.squirrel@imap.sd73.bc.ca> References: <Pine.BSF.4.58.0508221636280.10962@elara.frii.com> <63196.24.71.128.63.1124776406.squirrel@imap.sd73.bc.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 22, 2005, at 22:53, Freddie Cash wrote: > Last year I attended a session at USENIX on system logging in which > the instructor (Marcus Ranum) discussed the importance of having a > clearly defined (and enforced) log retention policy. From what I > remember of this portion of the lecture (the slides and my notes are > lacking in details) he stressed that this policy would help > significantly in the case of litigation, but it obviously would also > give a solid policy for defining expectations and maintaining > consistency between servers. > > A year later (*cough, cough*) I've started to compile ideas for this > policy, but am having a bit of trouble finding good guidelines to > follow. > > I was wondering if others currently had a clearly defined log > retention policy for their organization and, if so, how they went > about creating it? I have one. The way I established it was to identify all the log files that might contain information of interest. Then for each I determined, based on previous usage, how long I needed to have them immediately available on-line. That determined the settings in newsyslog. We do backups to DVD (and off-site) weekly so some of the logs are retained a bit longer than necessary to be sure they get on at least 2 different DVDs. The determination of how long to retain the DVDs was more administrative than technical or usage based. We keep two full calendar years of old DVDs plus the current years. Anything older gets destroyed. Long term storage is on DVD. The current year is kept off-site. The 2 previous years are on-site. We keep 2 additional off-site copies of the current info (whatever is necessary to rebuild from a total site loss). Thats generally quite a bit more than the log files, but they are part of it. Once it was all defined, I just wrote it down. Its a small document that has only existed to be able to say we have it. No one ever reads it and there has never been a need to have it. But it could happen.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BCD6A69D-6E24-4D70-93B1-8F2001E7BFB2>