Re: Canaries!
> as they are aware of the when/how/where of sys logs it wouldn't be that difficult to fake said logs
An entirely correct point - so that's something else to watch out for when trying to figure out WTF the logs mean once they have been filled with all that chaff and sorting out the actual start point depending on how clever they have or have not been.
Also important is to ensure the logging machine only ever accepts logging messages and no other connections etc etc I realise I'm preaching to the choir now... perhaps syslog boxes should boot from a self-destructing USB stick and record everything to WORM drives or is that just standard practice now...?
Biting the hand that feeds IT
