LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-10-2009, 12:16 PM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
what is good practice for log backups?


I'd say most people do daily backups of log files and other server related stuff.
If someone was to hack into your server, wouldn't they delete the logs?
Is it better practice to backup logs more often?
 
Old 08-10-2009, 02:24 PM   #2
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
If you're worried about someone breaking in and deleting the logs, you could always have the syslog program log both the the drive, and to another computer set up to receive syslogs. That machine could also be set to allow no other outside connections. Otherwise, once a day is better than I've seen some do. But, that's just my opinion. Others might have a better idea.
 
Old 08-10-2009, 02:33 PM   #3
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,889

Rep: Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259
Quote:
Originally Posted by qwertyjjj View Post
I'd say most people do daily backups of log files and other server related stuff.
If someone was to hack into your server, wouldn't they delete the logs?
Is it better practice to backup logs more often?
I don't back up logs at ALL. What I do, for security's sake, is to mirror my logs....locally to a file, and to a centralized syslog server. That server is running syslog-ng, and each server's log file data is split into a different file, based on incoming IP address.

If someone compromises a server, even if they erase the local log, I've got the mirror untouched on another server, which they probably couldn't compromise, since it's behind some stout firewall hardware.
 
Old 08-10-2009, 02:50 PM   #4
SteveThePirate
Member
 
Registered: Aug 2009
Distribution: Ubuntu
Posts: 62

Rep: Reputation: 16
is that not technically the same thing as backing up your logs? You have a copy of them somewhere else.
 
Old 08-10-2009, 03:16 PM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by TB0ne View Post
I don't back up logs at ALL. What I do, for security's sake, is to mirror my logs....locally to a file, and to a centralized syslog server. That server is running syslog-ng, and each server's log file data is split into a different file, based on incoming IP address.

If someone compromises a server, even if they erase the local log, I've got the mirror untouched on another server, which they probably couldn't compromise, since it's behind some stout firewall hardware.
I don't have the ability to set up a syslog server anywhere else at present as I only have 1 server running. My other possible server is merely a hosting company, I do not have root access. What I can access on that server though is ftp, sftp, and the webserver.
Any bodge I could do to mirror files to that?
Not xsecure though as anyone getting into the server could potentially find the stored ftp password.
 
Old 08-10-2009, 03:37 PM   #6
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,889

Rep: Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259
Quote:
Originally Posted by SteveThePirate View Post
is that not technically the same thing as backing up your logs? You have a copy of them somewhere else.
In a way, yes, but not really. I always view back ups as being able to grab old ones from archive/tape/whatever, where as this is just a copy of what's there right now. If I lose log files, I don't care too much about it...the system keeps chugging away, and recreates them.
 
Old 08-10-2009, 03:39 PM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,889

Rep: Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259Reputation: 4259
Quote:
Originally Posted by qwertyjjj View Post
I don't have the ability to set up a syslog server anywhere else at present as I only have 1 server running. My other possible server is merely a hosting company, I do not have root access. What I can access on that server though is ftp, sftp, and the webserver.
Any bodge I could do to mirror files to that?
Not xsecure though as anyone getting into the server could potentially find the stored ftp password.
Sure...set up a simple CRON job to SCP the file(s) over to another box every now and then. A simple expect script, and something like "scp <logfilename> <userid>@<ip address of other box>:`date`-logfilename", would do it. Tweak the date string to put something friendly in the name, so it creates unique files, if you want, or leave that out...can always be FTP or another protocol, too....
 
Old 08-10-2009, 03:47 PM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by TB0ne View Post
Sure...set up a simple CRON job to SCP the file(s) over to another box every now and then. A simple expect script, and something like "scp <logfilename> <userid>@<ip address of other box>:`date`-logfilename", would do it. Tweak the date string to put something friendly in the name, so it creates unique files, if you want, or leave that out...can always be FTP or another protocol, too....
Well, that's what I do but it's only once a day. I guess it will have to do. Once an hour is probably overkill but if anything happens, it'd be nice to have up to the second logs.
 
Old 08-10-2009, 04:00 PM   #9
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
Well, one thing you can do is to simply log to two places on the disk. One standard, and one non-standard. That way, unless they check the config file for syslog, they'll only delete one copy and you will still have a backup somewhere hidden on the drive.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Sending Errors to Log File: Best Practice? blingham Linux - Newbie 3 07-24-2009 07:59 AM
File permissions, good practice benedikt.k Linux - Security 1 02-05-2008 02:08 PM
iptables good practice - 2 questions ddaas Linux - Security 1 05-31-2005 07:09 AM
Is this good iptables practice ? michaelsanford Linux - Security 1 05-21-2005 09:32 PM
A good practice for compiling? Micro420 Mandriva 29 08-09-2004 03:36 AM


All times are GMT -5. The time now is 02:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration