In response to my post regarding core-sdi's secure syslogd - ssyslogd. Sorry it has taken me so long to post this...been super busy... I didn't get a lot of responses back from the list regarding ssyslogd. Just a couple of people who said they were using it, and it was working. I grabbed the latest version (ssyslogd-1.22) from http://www.core-sdi.com/ssyslog/. I had a problem compiling it on Redhat 5.0, but a small modification and it went. Their site says it complies on - OpenBSD 2.1, 2.2 and 2.3 - Linux Slackware 2.0.x - SunOs 4.1.4 - Solaris 2.5.1 - FreeBSD 2.2.5 I sent them a email, and they said they would be updating the dist to compile with the new glibc as well... Quote from core-sdi: "Designed to replace the syslog daemon, ssyslog implements a cryptographic protocol called PEO-1 that allows the remote auditing of system logs. Auditing remains possible even if an intruder gains superuser privileges in the system, the protocol guarantees that the information logged before and during the intrusion process cannot be modified without the auditor (on a remote, trusted host) noticing." I grabbed the win32 auditing tool from their site, and it worked fine. You can only audit logs from a remote machine, no auditing on the local machine is allowed. They have a Unix auditor as well that comes with the source dist. Replaced syslogd with the new ssyslogd, and it ran fine with the syslog.conf I had. Add [peo] to the syslog.conf entry, and it implements PEO-1. authpriv.* [peo] /var/log/secure and so on... It has been up for about a week without a hitch. Mark