NTP Footprinting
Since there can be a lot of clock drift out there, there can be some question as to whether or not a system's time stamps on logs can be really trusted.
I use two strategies for recording sequence-of-events logs:
- Log everything to a central machine.
Most syslogs won't cache things if they have a remote system to send the record off to. The central syslog won't cache either if it is receiving datastreams from multiple machines, and it applies its own timestamp to the records. If you trust the clock on the central machine, you usually end up with a reasonably trustable time-stamped sequence of events which is accurate to within a couple of seconds.
- Run ntp and periodically log the time source.
In cron:0 6,18 * * * /usr/sbin/ntpq -p | grep '*' | logger -t ntp
Or, if you have a newer distro with systemd: 0 6,18 * * * /usr/bin/chronyc tracking | egrep 'time|off' | logger -t ntp
This logs the system that the clock is currently locked to twice a day, proving that the clock on the relevant machine is reasonably trustworthy for time-stamping purposes.