Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the 'You may not want to store logs for too long' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
You may not want to store logs for too long
Authored by: nickp on Oct 07, '04 02:18:32PM

This is a cool idea, and thanks to Derekhed for working it out and posting it!

I want to add one caveat, however (which may only be appropriate in a large multi-user environment). Back when I used to do sysadmin work, as a matter of policy we *deliberately* made sure we didn't keep logs for more than two weeks ... and that the logs weren't accidentally being backed up somewhere.

If a machine ever becomes the focus of a legal investigation (perhaps only because it was broken into and then used to cause problems elsewhere), you will be amazed at how broad and inclusive the power of a subpoena is.

The first time you waste four entire days spinning old backup tapes in order to comply with one, you will understand. If you have a record, it can be subpoena'ed -- and they invariably ask for everything, and you must comply -- it's much better to be able to say, in all honesty, "we don't have that record." Subpoenas are frequently just fishing expeditions, and they don't really need or use all the data they request. That doesn't excuse the sysadmin from the legal requirement to fulfill the request, however.

Perhaps simply snapping the logfile CD's in half after a month or two is sufficient. Another thing to keep in mind is that OS-X logfiles are extremely chatty, with all sorts of potentially personal information (like what videos you've been watching with VLC, for instance ...)

[ Reply to This | # ]