<HTML dir=ltr><HEAD><TITLE>Re: [GLLUG] Trickle logs to a DVD-R disk?</TITLE>
<META http-equiv=Content-Type content="text/html; charset=unicode">
<META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD>
<BODY>
<DIV id=idOWAReplyText97036 dir=ltr>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2>Right, I do the same thing for Windows boxes and firewalls and such (Kiwi and Sawmill will go a long way) but I was hoping for something self-contained. Thanks!</FONT></DIV>
<DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV></DIV>
<DIV id=idSignature42735 dir=ltr>
<DIV><FONT face=Arial color=#000000 size=2><FONT face="Times New Roman">
<DIV><FONT size=2>Mark Lachniet<BR>Solutions Architect - Security<BR>3101 Technology Blvd. Suite A<BR>Lansing, MI 48910<BR>(517) 336-1004 (voice)<BR><A href="mailto:mlachniet@analysts.com">mailto:mlachniet@analysts.com</A><BR> </FONT> </DIV></FONT></FONT></DIV></DIV>
<DIV dir=ltr><BR>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Ed Thomson [mailto:ethomson@edwardthomson.com]<BR><B>Sent:</B> Fri 8/24/2007 9:29 AM<BR><B>To:</B> Lachniet, Mark<BR><B>Cc:</B> linux-user@egr.msu.edu<BR><B>Subject:</B> Re: [GLLUG] Trickle logs to a DVD-R disk?<BR></FONT><BR></DIV>
<DIV>
<P><FONT size=2>Mark-<BR><BR>I've never streamed logs to removable media. Real-time streaming to <BR>CD/DVD or tape sounds like it might be difficult, as you'd probably <BR>have write buffer underruns (and probably coasters) or tape hitching, <BR>respectively.<BR><BR>You could have a cron job copy the syslogs every few minutes to a <BR>safe location and put them on a media that you could append to. <BR>Presumably this is DVDs due to their large storage capacity, you can <BR>keep appending logs for quite a while. My concerns with this would <BR>be that one bad session could compromise your logs, and that a good <BR>attacker would notice this and may be able to disable it before logs <BR>of his activity got written. But those are pretty minor concerns, <BR>this doesn't sound like a bad solution.<BR><BR>To offer an alternative, we use a dedicated loghost for this sort of <BR>thing. We have a machine which is firewalled such that it only <BR>allows (authenticated, encrypted) inbound connections on the syslog <BR>port, and allows no outbound connections. (We log in on the console <BR>only.) We firewall it at the kernel level via iptables as well as on <BR>our core router. It dumps logs to tape nightly. We feel that this <BR>is appropriately secure for our needs: it's unlikely that anybody <BR>could get in to the loghost, unless there's a major remote-<BR>exploitable vulnerability in syslog.<BR><BR>Cheers-<BR><BR>-Ed<BR><BR>On Aug 24, 2007, at 7:09 AM, Lachniet, Mark wrote:<BR><BR>> Anyone know of a good way to set up a Linux box so that you can <BR>> copy your logs in real-time (or near to it) to a DVD-R that is <BR>> inserted in the box? I'd like to have a more permanent form of <BR>> logging so that if the HD dies or gets hacked, there is a backup <BR>> that went to the DVD burner in a more permanent form.<BR>><BR>> Thanks,<BR>><BR>> Mark Lachniet<BR>> Solutions Architect - Security<BR>> 3101 Technology Blvd. Suite A<BR>> Lansing, MI 48910<BR>> (517) 336-1004 (voice)<BR>> <A href="mailto:mlachniet@analysts.com">mailto:mlachniet@analysts.com</A><BR>><BR>> _______________________________________________<BR>> linux-user mailing list<BR>> linux-user@egr.msu.edu<BR>> <A href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</A><BR><BR></FONT></P></DIV></BODY></HTML>