[Dshield] DShield.py

Jens Knoell jens at ing.twinwave.net
Mon Nov 5 15:41:20 GMT 2001


From: "John Sage" <jsage at finchhaven.com>
> Eelco, et al:
>
> > You even can make it a cronjob if you know how to (be sure
> >> to add something like 5 minutes between logrotation and the script)
> >
>
> This may be a clue to a problem I've been having: how much time before
> and after cron rotates logs can the logs be safely accessed for writing
> into another file?
>
> I'm having a situation where, when I run a perl script manually it will
> pick up a port probe summary (using tail -12 /path/to/log/here ) but
> when it's run from a cron job that portion of the output is alway
> missing. It's getting fired off about a minute *before* cron starts to
> rotate a whole bunch of stuff..
>
> The perl script itself is my hack of Dan Swan's snort2html.pl..
>
> Just wondering if cron timing might have something to do with this
problem..
>
> thnx..
>
> - John

Something that works for me is:

- copy the logfile to a different file (sorta rotate it, but don't move it)
- restart the respective program or tell it to start a fresh log
- invoke the analyzer(s) desired on the copied logfiles

This way I've got plenty of time for log analysis. Drawback: I do have a
blind spot of a few secs to a few mins. With some programs (my IDS for
example) I can shorten that to a fraction of a second by restarting the
service and instructing it to log to a different file/directory instead of
copying the logfile. This still gives me a very tiny blackout of logging
though. Anyone found a way around that? Granted, it's minor, but still...
it's bad. :)

Jens




More information about the list mailing list