Re: Followup: Syslog
from the secret journal of Andy Bastien (email@example.com):
> Another technique is to use a separate logging server which has the
> transmit leads on it's ethernet connection snipped. It's capable of
> receiving (via UDP only, since it can't ACK!) log entries, but it's
> virtually impossible to start an interactive session remotely to shut
> it down or otherwise interfere with it. It's possible to attack the
It also can't arp. You'll need to prime the arp cache from a file for every
host that needs immutable logs. Have you tried this? I wonder if you'll even
get a link light.
A syslog that strips formfeeds and line feeds attached to a printer is a
little better, but I haven't found an efficient way to egrep with my eyes.