Richard, Yes, i acknowledge the meaning of logs. Who would not !
I'm just reverting the order .... like DENY, ALLOW. It's desktop machines, not servers. I'm not going to trace attacks back over weeks, or seacrh for weird things which happened yesterday. I'm almost always interested in today, and the last 30 minutes, only. So i'll rather install and organize anything necessary only if needed, instead of keep it running with no need, for years. And no system crash on any of my various computers, for many years now ... but why would i bother about crashes ? If they happen repeatedly, i launch the logging and find out the reason. If it was a one time exception (do they exist?), i can wait if it really happens again. But that's not even the point. The point is, in nearly all serious cases, the most recent dmesg and X log is all i need. Which does not require a syslogd. And if i do experiments, like recently changing a videodriver or screw up with a framebuffer, then i usually know what i was doing and how to fix it. Usually at console mode. Worst case, need boot stick. Of course there can be minor issues. For me it's avtually only one. Some 'services' log directly even w/o syslog - since my var/log is tmpfs, i need to creatie their log folders by script at boot time, or they will launch-die. For me, that is only apache2 and tiger, on some machines. (Apache used for local things). It's no big deal, i need that boot script anyway, it's quite useful for various things. Well the topic was /var tmpfs and we are talking /var/log now. I reserved 50M for this /var/log tmpfs but never get more than a few Megs at best, even after days without reboot. And /var/cache itself is just empty most of the uptime - except for the apt directory, when i do updates. As i pointed out (did i?) it's safer to create one huge tmpfs and link all the memory suckers there, and i use /tmp for it. So, since i don't need to keep packages or pkgcache.bin, with fast bandwidth, i was able to link just the whole /var/cache into the main tmpfs. If i'm going to do a lot of up- and downgrading, and want to keep packages, i'll just switch that link off. But it really rarely happens. So far that works for me.
