21.8 Summary

Audit and log files are critical to the proper functioning of any secure computer. Without these files, there is no way to tell what has happened in the past—and, by extension, no way to prevent mishaps that you have experienced from happening in the future.

Although some Unix systems maintain their own log files, the vast majority of daemons and applications log using the Unix syslog facility. syslog is a powerful system that allows you to split or combine log events, selectively transfer log messages to other computers, and even run pages or shell scripts.

Merely keeping log files is not sufficient: you must examine some or all of your log files on a regular basis. And you must rotate and either purge or archive your logs on a regular basis, or else they will fill up your partition and cause your computer severe problems.

Understanding the records that your Unix system makes during its normal operation is often critical both to understanding its normal operation and recovering after a security incident. Good system administrators read their logs.