[syslog-ng] Logs out of control
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sat Oct 6 06:27:20 CEST 2007
On Fri, 05 Oct 2007 15:33:30 EDT, John Hala said:
> how would you cut up the partition... by day?
This would of course depend on your local requirements - but units such as
"by day", "by week", "by month" certainly come to mind. You will also want to
consider how easy it is to implement local policy/legal requirements such as
"logs of XYZ events *must* be kept 180 days", "logs of ABC *must* be discarded
after 90 days", and so on. Also add in things like "how many records per
day", and "how many machines", and so on.
You may want to consider using slightly larger time units, such as "month"
or "last 30 days", to simplify your life when you're asked to produce log
entries for "ABC for the last week", or consider some other partition such
as "per machine per month" if that makes sense in your network.
If it helps any, I also manage a server that tracks IDS incidents, and the
useful quantities there are "last 2 hours", "last 24 hours", "this month",
and "forever".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.balabit.hu/pipermail/syslog-ng/attachments/20071006/0fa6b7b4/attachment.pgp
More information about the syslog-ng
mailing list