Date: Sat, 15 Feb 2003 17:24:10 +1100 From: Peter Jeremy <peterjeremy@optushome.com.au> To: Terry Lambert <tlambert2@mindspring.com> Cc: arch@FreeBSD.ORG Subject: Re: syslog.conf syntax change (multiple program/host specifications) Message-ID: <20030215062410.GB60369@cirb503493.alcatel.com.au> In-Reply-To: <3E4D7C2B.DDFC9DBE@mindspring.com> References: <20030210114930.GB90800@melusine.cuivre.fr.eu.org> <20030213174531.GZ83215@roark.gnf.org> <20030213184309.GA53098@melusine.cuivre.fr.eu.org> <200302141100.23529.wes@softweyr.com> <p05200f15ba72fb31e177@[128.113.24.47]> <20030214220145.GM83215@roark.gnf.org> <3E4D7C2B.DDFC9DBE@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 14, 2003 at 03:30:51PM -0800, Terry Lambert wrote: >Only newsyslog is stupid. > >No matter what options you gave it, the first thing it would do is >the moral equivalent of -F. > >So instead of a 60M Samba log file "/var/log/samba", you ended up >with a "/var/log/samba.1" that was 60M, and a "/var/log/samba" >that was empty. I'm not sure this is "stupid" in all cases. Definitely, if you have the situation where newsyslog fails to run for an extended period, this is a problem. OTOH, if syslog is running normally and there is a massive burst of log activity (eg an attack) then you could lose older logs. This might make it easier for an attacker to destroy evidence of what they did - you know something happened because you have a pile of syslogs full of rubbish, but you don't know exactly what because the earliest syslogs have rotated out of existence. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030215062410.GB60369>