Re: Followup: Syslog

To: debian-security@lists.debian.org
Subject: Re: Followup: Syslog
From: jpk@cape.com (Jacob Kuntz)
Date: Sat, 14 Apr 2001 14:32:20 -0400
Message-id: <20010414143219.A4686@arrakis.lucidpark.net>
In-reply-to: <20010414132424.A20772@yuggoth.net>; from lists@yuggoth.net on Sat, Apr 14, 2001 at 01:28:52PM -0400
References: <01041400083606.00484@silence> <20010413154002.P14998@riseup.net> <715818.987184446@[0.0.0.0]> <20010414132424.A20772@yuggoth.net>

from the secret journal of Andy Bastien (lists@yuggoth.net):
> 
> Another technique is to use a separate logging server which has the
> transmit leads on it's ethernet connection snipped.  It's capable of
> receiving (via UDP only, since it can't ACK!) log entries, but it's
> virtually impossible to start an interactive session remotely to shut
> it down or otherwise interfere with it.  It's possible to attack the

It also can't arp. You'll need to prime the arp cache from a file for every
host that needs immutable logs. Have you tried this? I wonder if you'll even
get a link light.

A syslog that strips formfeeds and line feeds attached to a printer is a
little better, but I haven't found an efficient way to egrep with my eyes.

-- 
Jacob Kuntz
jpk@cape.com
jake@capecodvacation.com
jake@lucidpark.net
http://underworld.net/~jake

Reply to:

Follow-Ups:
- Re: Followup: Syslog
  - From: Andy Bastien <lists@yuggoth.net>

References:
- Followup: Syslog
  - From: Kenneth Vestergaard Schmidt <kenneth@bitnisse.dk>
- Re: Followup: Syslog
  - From: Micah Anderson <micah@riseup.net>
- Re: Followup: Syslog
  - From: Kevin van Haaren <kevin@vanhaaren.net>
- Re: Followup: Syslog
  - From: Andy Bastien <lists@yuggoth.net>

Prev by Date: Re: Followup: Syslog
Next by Date: Re: Logging practices (and why does it suck in Debian?)
Previous by thread: Re: Followup: Syslog
Next by thread: Re: Followup: Syslog
Index(es):
- Date
- Thread