R: [EROS-Arch] Error logging
Valerio Bellizzomi
devbox@selnet.org
Wed, 26 Sep 2001 03:07:27 +0200
----- Original Message -----
From: Bill Frantz <frantz@pwpconsult.com>
To: Jonathan S. Shapiro <shap@eros-os.org>; Ben Laurie <ben@algroup.co.uk>
Cc: <eros-arch@mail.eros-os.org>
Sent: Tuesday, September 25, 2001 10:15 PM
Subject: Re: [EROS-Arch] Error logging
---snip ---
> > 2. How should the audit log be handled?
>
> I think there might be a place for rate limiting log entries in an audit
> log, on the assumption that, if a component is producing log entries too
> fast (for some definition of "too"), it is behaving abnormally, and should
> not be permitted to flood the log. Also, as a practical matter, there
> probably needs to be a method of copying the audit log to cheaper/better
> protected/offline storage.
Consider also logging directly to near-offline storage via a dedicated
network line, as described in http://www.ticm.com/kb/faq/idsfaq.html#8.8
val