From owner-freebsd-isp@FreeBSD.ORG  Mon Aug 22 22:38:45 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
X-Original-To: freebsd-isp@freebsd.org
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3C83F16A425
	for <freebsd-isp@freebsd.org>; Mon, 22 Aug 2005 22:38:45 +0000 (GMT)
	(envelope-from matt@frii.com)
Received: from mail.frii.com (phobos01.frii.net [216.17.128.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 058B643D46
	for <freebsd-isp@freebsd.org>; Mon, 22 Aug 2005 22:38:44 +0000 (GMT)
	(envelope-from matt@frii.com)
Received: from elara.frii.com (elara.frii.com [216.17.128.39])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(No client certificate requested)
	by mail.frii.com (FRII) with ESMTP id 5E8141DE9A0
	for <freebsd-isp@freebsd.org>; Mon, 22 Aug 2005 16:38:44 -0600 (MDT)
Date: Mon, 22 Aug 2005 16:38:43 -0600 (MDT)
From: Matt Ruzicka <matt@frii.com>
X-X-Sender: mattr@elara.frii.com
To: freebsd-isp@freebsd.org
Message-ID: <Pine.BSF.4.58.0508221636280.10962@elara.frii.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Creating a Log Retention Policy
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Aug 2005 22:38:45 -0000

Last year I attended a session at USENIX on system logging in which the
instructor (Marcus Ranum) discussed the importance of having a clearly
defined (and enforced) log retention policy.  From what I remember of this
portion of the lecture (the slides and my notes are lacking in details) he
stressed that this policy would help significantly in the case of
litigation, but it obviously would also give a solid policy for defining
expectations and maintaining consistency between servers.

A year later (*cough, cough*) I've started to compile ideas for this
policy, but am having a bit of trouble finding good guidelines to follow.

I was wondering if others currently had a clearly defined log retention
policy for their organization and, if so, how they went about creating it?

Thanks in advance for any feedback.

Matthew Ruzicka - Systems Administrator
Front Range Internet, Inc.
matt@frii.net - (970) 212-0728

Got SPAM?  Take back your email with MailArmory.  http://www.MailArmory.com