From owner-freebsd-security  Fri Jul 31 07:26:23 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA01520
          for freebsd-security-outgoing; Fri, 31 Jul 1998 07:26:23 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from trost.ravn.no (trost.ravn.no [193.215.220.235])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA01515
          for <security@FreeBSD.ORG>; Fri, 31 Jul 1998 07:26:21 -0700 (PDT)
          (envelope-from reidar@ravn.no)
Received: from gribb.ravn.no (gribb.ravn.no [193.215.220.237])
	by trost.ravn.no (8.8.7/8.8.7) with SMTP id QAA05214
	for <security@FreeBSD.ORG>; Fri, 31 Jul 1998 16:26:17 +0200 (CEST)
	(envelope-from reidar@ravn.no)
Message-Id: <3.0.32.19980731162500.00869ce0@trost.ravn.no>
X-Sender: reidar@trost.ravn.no
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Fri, 31 Jul 1998 16:25:00 +0200
To: security@FreeBSD.ORG
From: Reidar Bratsberg <reidar@ravn.no>
Subject: Re: Where are your logs? Methods of logging?
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Logging to a secure machine with syslog (or other) is
as crucial as tripwire, IMHO. 

I haven't done it myself, but I've heard that some cut (!) the 
"send"-wires on the TP-cable to the secure machine -- making it 
impossible to reach it via the network. The syslog entries 
get through though. 

Other options: Let syslog log to a serial port, and set up an
old machine with MS-DOS (or whatever) to receive them.

At 13:14 31.07.98 +0100, Þórður Ívarsson wrote:
>Now I log everything from every system to that computer, backup the logs
>every day, and trace them.
(...)
>Is this something that might help us to trace the problems or is this
>just extra trouble?

I think it is absolutely worth the trouble. We don't take backup of
the log-machine though. I guess we should...
We've considered setting up an old matrix printer as well, but I'm not
sure it's worth the trouble (or paper!).

Best,
Reidar

-- 
Reidar Bratsberg 
Ravn Informasjonssystemer Ans, Oslo, Norway
Phone: +47 22 37 97 00  Fax: +47 22 37 97 01  Business e-mail: ravn@ravn.no
Public PGP-key available from http://www.ravn.no/~reidar/pub-pgp.txt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message