EXPERT RESPONSE
That decision should ultimately be driven by your company's written security policy, but in general, the first thing to consider is how far back you want to be able to go as far as audit trails and investigations? Compare that to how far back your log goes with its current size limit. Depending on how much activity gets logged every day, you may be able to keep several months of activity online and just allow the log to overwrite as necessary. However, without archiving the security log you lose some ability to respond to and recover from attacks. If an attacker succeeds in gaining sufficient authority to your system, one of the first things he will do is clear the logs to hide details of his intrusion. Therefore, for best security, you should ideally archive logs to a separate and secure server as frequently as possible.
You can do this yourself by scheduling a script that runs dumpel (a resource kit utility), or there are plenty of security log products that provide archival functionality and more, including Dorian's EventArchiver, GFI's LANGuard SELM, Sentry II from EngageNT and EventTracker from Prism Microsystems.
|
