People often mention the D-O-S attack possible even if you have a secure logging host, that being send it gigabytes of trash. If you don't have a secure logging host, there's also a possibility of someone breaking in and then trashing the logfile to hide their tracks. This brought to mind the idea of a "syslog monitor", or a process that would just hang out someplace and stat the various log files periodically, using some mechanism to warn of excessive size, mysterious shrinkage, and maybe some other warning signs. There are a lot of potential problems to be considered, especially if the monitor is running on the same machine that just got cracked, but would such a thing be useful? It could even be built into syslog itself, starting with, oh, the fwtk version or something. _H*