LOG repositary

[52xmax]

Dear Gurus,

I am in the process of preparing Solaris Configuration Document, I have a doubt on OS log file repositary. I have configured OS log files such a way, so that root can only access those log files (sulog, lastlog and messages). But people suggested to go for separte(remote) system either linux or unix for OS logs. I dont find it will more secure rather than file security. Let me know your views regarding this.

Thanks in advance.

 

[Annihilannic]

I would say a central log repository would be more useful for keeping logs for many systems in one place so they can be monitored conveniently. I don't think it would improve the security signficantly.

Annihilannic.

 

[foozy]

A remote repository has two advantages-
1. An attacker can not attack two machines at the
same time- so you will have at least some warning
of someone attacking your systems from monitoring
logs in the remote repository.
2. You have a backup of the logs in case the attacker
decides to issue the command
# rm -r /var/*

I guess a third advantage is that you can store more
logs on the remote, saving disk space on the local.

HTH,
jpb
===