Don't you love the corporate policy:
Even better, move the log files off these devices to a much more 'secure' loghost.
Okay, now we're talking!
So now we've got 30+ devices (firewalls, SMTP routers, proxy servers, socks proxies, etc) all logging to one box.
Just how much space do you think you'd need?
Let's just check:
Filesystem Size Mounted on
So apparantly it's less than 70Gb.
Q: How much do we log daily?
A: ~12GB a day per device. (and yes they have turned on full debugging!)
Hmm... don't do the maths 30x12G...
Managers now wonder why we get paged out multiple times a night to fix the mess.
Easy answer you say: Add more disk.
You would think, it was raised 6 months ago.... and apparantly the purchase order was 'being raised'.
We've been given implicit instructions we are not allowed to delete anything, or even turn off the full debugging.
Even worse they box wasn't setup with LVM/RAID or anything remotely useful.
Q: So where are we now?
A: The 'work around' we've been instructed... copy the data onto other non-loghost production machines... so the machine constantly is now splattering logs constantly across a host of other machines. And no we haven't been able to use any networked mounted file systems... so it's scp'ing the stuff over (that no-one actually ever bothers to read anyway).
Internet facing systems should retain all log files for a minimum of 60 days.Sounds great doesn't it? You could in theory then see what has been going on.
Even better, move the log files off these devices to a much more 'secure' loghost.
Okay, now we're talking!
So now we've got 30+ devices (firewalls, SMTP routers, proxy servers, socks proxies, etc) all logging to one box.
Just how much space do you think you'd need?
Let's just check:
Filesystem Size Mounted on
/dev/sdb1 68G /var/log
So apparantly it's less than 70Gb.
Q: How much do we log daily?
A: ~12GB a day per device. (and yes they have turned on full debugging!)
Hmm... don't do the maths 30x12G...
Managers now wonder why we get paged out multiple times a night to fix the mess.
Easy answer you say: Add more disk.
You would think, it was raised 6 months ago.... and apparantly the purchase order was 'being raised'.
We've been given implicit instructions we are not allowed to delete anything, or even turn off the full debugging.
Even worse they box wasn't setup with LVM/RAID or anything remotely useful.
Q: So where are we now?
A: The 'work around' we've been instructed... copy the data onto other non-loghost production machines... so the machine constantly is now splattering logs constantly across a host of other machines. And no we haven't been able to use any networked mounted file systems... so it's scp'ing the stuff over (that no-one actually ever bothers to read anyway).
No comments:
Post a Comment