Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd say most people do daily backups of log files and other server related stuff.
If someone was to hack into your server, wouldn't they delete the logs?
Is it better practice to backup logs more often?
If you're worried about someone breaking in and deleting the logs, you could always have the syslog program log both the the drive, and to another computer set up to receive syslogs. That machine could also be set to allow no other outside connections. Otherwise, once a day is better than I've seen some do. But, that's just my opinion. Others might have a better idea.
I'd say most people do daily backups of log files and other server related stuff.
If someone was to hack into your server, wouldn't they delete the logs?
Is it better practice to backup logs more often?
I don't back up logs at ALL. What I do, for security's sake, is to mirror my logs....locally to a file, and to a centralized syslog server. That server is running syslog-ng, and each server's log file data is split into a different file, based on incoming IP address.
If someone compromises a server, even if they erase the local log, I've got the mirror untouched on another server, which they probably couldn't compromise, since it's behind some stout firewall hardware.
I don't back up logs at ALL. What I do, for security's sake, is to mirror my logs....locally to a file, and to a centralized syslog server. That server is running syslog-ng, and each server's log file data is split into a different file, based on incoming IP address.
If someone compromises a server, even if they erase the local log, I've got the mirror untouched on another server, which they probably couldn't compromise, since it's behind some stout firewall hardware.
I don't have the ability to set up a syslog server anywhere else at present as I only have 1 server running. My other possible server is merely a hosting company, I do not have root access. What I can access on that server though is ftp, sftp, and the webserver.
Any bodge I could do to mirror files to that?
Not xsecure though as anyone getting into the server could potentially find the stored ftp password.
is that not technically the same thing as backing up your logs? You have a copy of them somewhere else.
In a way, yes, but not really. I always view back ups as being able to grab old ones from archive/tape/whatever, where as this is just a copy of what's there right now. If I lose log files, I don't care too much about it...the system keeps chugging away, and recreates them.
I don't have the ability to set up a syslog server anywhere else at present as I only have 1 server running. My other possible server is merely a hosting company, I do not have root access. What I can access on that server though is ftp, sftp, and the webserver.
Any bodge I could do to mirror files to that?
Not xsecure though as anyone getting into the server could potentially find the stored ftp password.
Sure...set up a simple CRON job to SCP the file(s) over to another box every now and then. A simple expect script, and something like "scp <logfilename> <userid>@<ip address of other box>:`date`-logfilename", would do it. Tweak the date string to put something friendly in the name, so it creates unique files, if you want, or leave that out...can always be FTP or another protocol, too....
Sure...set up a simple CRON job to SCP the file(s) over to another box every now and then. A simple expect script, and something like "scp <logfilename> <userid>@<ip address of other box>:`date`-logfilename", would do it. Tweak the date string to put something friendly in the name, so it creates unique files, if you want, or leave that out...can always be FTP or another protocol, too....
Well, that's what I do but it's only once a day. I guess it will have to do. Once an hour is probably overkill but if anything happens, it'd be nice to have up to the second logs.
Well, one thing you can do is to simply log to two places on the disk. One standard, and one non-standard. That way, unless they check the config file for syslog, they'll only delete one copy and you will still have a backup somewhere hidden on the drive.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.