tripwire and log rotations

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Liberty Young
Date:  
Subject: tripwire and log rotations
Scott,

For what its worth, make sure you also you email (or store off-machine)
your logs on a scheduled basis. If you're logs ever do become messed
with, or if they are just deleted, you'll have a chance of your old logs
showing up interesting things (i.e. if an attacker did some
reconnaisance beforehand).

On Thu, 2003-01-02 at 16:34, Scott H wrote:
> Well, yes, I can. But I don't WANT to exclude
> these files. I want them monitored. I just dont
> want the weekly log rotations to trigger this.
>
> > From:
> > You can specify which files to include/exclude
> > in your tripwire config file.
> > George
> >
> > Quoting Scott H <>:
> > > So now that I'm an at-home Linux user that
> > has
> > > begun to use Linux at my company for servers
> > > (formerly all was MS), I'm faced with *NIX
> > admin
> > > issues that are all new to me. Today's
> > example
> > > is: I have a RH7.3 server with tripwire
> > installed
> > > and a cron job that emails a tripwire report
> > to
> > > me daily. Works great. RH7.3 has a log
> > rotation
> > > system set up by default, and this works well
> > > too, rotating the logs once per week. But
> > of
> > > course, tripwire notices each week and
> > reports
> > > that the log files have been changed (I'm
> > > guessing it's the inode # that changes on
> > these?)
> > > and puts it in the report. Now, I want to
> > know
> > > if a cracker messes with my log files, of
> > course,
> > > so I DO want tripwire to monitor these files.
> >
> > > But I DON'T want tripwire to report on the
> > > routine, weekly log file rotation, causing me
> > to
> > > have to go in and do an update on the
> > tripwire
> > > db. How do I fix this?
>
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss