Re: Logging practices (and why does it suck in Debian?)
On Wednesday 11 April 2001 15:03, Christian Hammers wrote:
> For this reason (to stay on topic) logging should at least keep the current
> behaviour to have one log where everything is logged to, as it's now with
> /var/log/syslog. And maybe the /var/log/auth.log with stuff that most
> people may not see as it's security relevant.
Why? I think it is really wasted when everything is logged to syslog, and
also logged to other, more specific files. If you want to search for
something, use grep. And if you want to find something, look in the log-files
that are relevant. What relevancy can it ever have to log *.debug, or
mail.info messages to syslog, if you want to find stuff about instrusion
> Having the current mail.err, mail.warn, mail.debug where everything
> "with or below that severity" is logged so that the admin can choose what
> is worth to read daily is fine for me.
Again, I think this is wasted effort. Instead, as an admin, you could read
mail.err, then mail.warn, and if you still feel up to it, mail.debug - it
doesn't remove any details, but 1) it uses less disk space, 2) it removes the
clutter, and 3) each log file has a specific purpose.
But anyway, thanks for your comments! I am really trying to find "the perfect
solution", although I'll probably come to realize that there isn't one :(