From owner-freebsd-isp@FreeBSD.ORG Tue Aug 23 06:14:05 2005 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EAB9B16A41F for ; Tue, 23 Aug 2005 06:14:05 +0000 (GMT) (envelope-from bc979@lafn.org) Received: from zoot.lafn.org (zoot.lafn.ORG [206.117.18.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7252243D45 for ; Tue, 23 Aug 2005 06:14:05 +0000 (GMT) (envelope-from bc979@lafn.org) Received: from [10.0.1.90] (pool-71-109-145-221.lsanca.dsl-w.verizon.net [71.109.145.221]) (authenticated bits=0) by zoot.lafn.org (8.13.1/8.13.1) with ESMTP id j7N6E2RR032203 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO) for ; Mon, 22 Aug 2005 23:14:04 -0700 (PDT) (envelope-from bc979@lafn.org) Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <63196.24.71.128.63.1124776406.squirrel@imap.sd73.bc.ca> References: <63196.24.71.128.63.1124776406.squirrel@imap.sd73.bc.ca> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Doug Hardie Date: Mon, 22 Aug 2005 23:14:03 -0700 To: freebsd-isp@freebsd.org X-Mailer: Apple Mail (2.734) X-Virus-Scanned: ClamAV 0.86.2/1035/Mon Aug 22 04:37:18 2005 on zoot.lafn.org X-Virus-Status: Clean Subject: Re: Creating a Log Retention Policy X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Aug 2005 06:14:06 -0000 On Aug 22, 2005, at 22:53, Freddie Cash wrote: > Last year I attended a session at USENIX on system logging in which > the instructor (Marcus Ranum) discussed the importance of having a > clearly defined (and enforced) log retention policy. From what I > remember of this portion of the lecture (the slides and my notes are > lacking in details) he stressed that this policy would help > significantly in the case of litigation, but it obviously would also > give a solid policy for defining expectations and maintaining > consistency between servers. > > A year later (*cough, cough*) I've started to compile ideas for this > policy, but am having a bit of trouble finding good guidelines to > follow. > > I was wondering if others currently had a clearly defined log > retention policy for their organization and, if so, how they went > about creating it? I have one. The way I established it was to identify all the log files that might contain information of interest. Then for each I determined, based on previous usage, how long I needed to have them immediately available on-line. That determined the settings in newsyslog. We do backups to DVD (and off-site) weekly so some of the logs are retained a bit longer than necessary to be sure they get on at least 2 different DVDs. The determination of how long to retain the DVDs was more administrative than technical or usage based. We keep two full calendar years of old DVDs plus the current years. Anything older gets destroyed. Long term storage is on DVD. The current year is kept off-site. The 2 previous years are on-site. We keep 2 additional off-site copies of the current info (whatever is necessary to rebuild from a total site loss). Thats generally quite a bit more than the log files, but they are part of it. Once it was all defined, I just wrote it down. Its a small document that has only existed to be able to say we have it. No one ever reads it and there has never been a need to have it. But it could happen.