[GLLUG] Trickle logs to a DVD-R disk?

Thomas Hruska thruska at cubiclesoft.com
Fri Aug 24 09:59:50 EDT 2007 

Lachniet, Mark wrote:
> Right, I do the same thing for Windows boxes and firewalls and such (Kiwi and Sawmill will go a long way) but I was hoping for something self-contained.  Thanks!
>  
> Mark Lachniet
> Solutions Architect - Security
> 3101 Technology Blvd. Suite A
> Lansing, MI 48910
> (517) 336-1004 (voice)
> mailto:mlachniet at analysts.com
>   
> 
> ________________________________
> 
> From: Ed Thomson [mailto:ethomson at edwardthomson.com]
> Sent: Fri 8/24/2007 9:29 AM
> To: Lachniet, Mark
> Cc: linux-user at egr.msu.edu
> Subject: Re: [GLLUG] Trickle logs to a DVD-R disk?
> 
> 
> 
> Mark-
> 
> I've never streamed logs to removable media.  Real-time streaming to 
> CD/DVD or tape sounds like it might be difficult, as you'd probably 
> have write buffer underruns (and probably coasters) or tape hitching, 
> respectively.
> 
> You could have a cron job copy the syslogs every few minutes to a 
> safe location and put them on a media that you could append to.  
> Presumably this is DVDs due to their large storage capacity, you can 
> keep appending logs for quite a while.  My concerns with this would 
> be that one bad session could compromise your logs, and that a good 
> attacker would notice this and may be able to disable it before logs 
> of his activity got written.  But those are pretty minor concerns, 
> this doesn't sound like a bad solution.
> 
> To offer an alternative, we use a dedicated loghost for this sort of 
> thing.  We have a machine which is firewalled such that it only 
> allows (authenticated, encrypted) inbound connections on the syslog 
> port, and allows no outbound connections.  (We log in on the console 
> only.)  We firewall it at the kernel level via iptables as well as on 
> our core router.  It dumps logs to tape nightly.  We feel that this 
> is appropriately secure for our needs:  it's unlikely that anybody 
> could get in to the loghost, unless there's a major remote-
> exploitable vulnerability in syslog.
> 
> Cheers-
> 
> -Ed
> 
> On Aug 24, 2007, at 7:09 AM, Lachniet, Mark wrote:
> 
>> Anyone know of a good way to set up a Linux box so that you can 
>> copy your logs in real-time (or near to it) to a DVD-R that is 
>> inserted in the box?  I'd like to have a more permanent form of 
>> logging so that if the HD dies or gets hacked, there is a backup 
>> that went to the DVD burner in a more permanent form.
>>
>> Thanks,
>>
>> Mark Lachniet

Mark,

You are essentially looking for "read and append-only" media.  Hard 
drives are much more reliable interim storage mediums (in terms of 
physical reliability).  So, essentially, you are after a hard drive that 
can't overwrite existing data (perhaps a DIP/jumper switch setting) and 
can act in a streaming fashion - a sort of "write-once/read-many" type 
of thing.

AFAIK, such a hard drive doesn't exist and I also am pretty sure there 
isn't an appropriate filesystem either (although there might be 
something in the "tape system" genre - treat the hard drive like a tape 
drive).  But it is something to think about.

-- 
Thomas Hruska
CubicleSoft President
Ph: 517-803-4197

*NEW* MyTaskFocus 1.1
Get on task.  Stay on task.

http://www.CubicleSoft.com/MyTaskFocus/

More information about the linux-user mailing list