"Rodolfo J. Paiz" wrote: > Thanks, Martin. As a related question: I log everything that's in > syslog.conf to another machine over the network. However, I have also > noticed that the log messages being written to disk is not allowing > the firewall's disk to spin down for long... every few minutes it has > to spin up again. One thing to consider here is to not write the --MARK-- entries, or write them only every hour or so (default: each 20 minutes). > Do you see a major downside or risk to _only_ logging over the > network to the remote syslog server? I'm thinking this could allow me > to promote more aggressive power conservation for the firewall and a > couple of other small servers. Downside: If the network is down, nothing is logged, ditto if the log server crashes. And if the firewall crashes, the log on disk (if done synchronously and without disk caching - a real performance hog) might contain a few (maybe important for finding the crash reason) more lines than the log on the log server. But an intruder might have difficulty to eliminate his traces from the log server, while that's easy on the local disk. But speaking of firewalls, my firewalls *never* have any disk in them! I boot them from CD-ROM - absolutely no chance to install a rootkit because it cannot be written anywhere. You could also boot from the internal network, but then an intruder could compromise the place you boot from. So I have to log over the network, and I have not encountered any problems yet. Best regards, Martin Stricker -- Homepage: http://www.martin-stricker.de/ Linux Migration Project: http://www.linux-migration.org/ Red Hat Linux 9 for low memory: http://www.rule-project.org/ Registered Linux user #210635: http://counter.li.org/ -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
