[Dshield] DShield.py

Pieter-Bas IJdens pbijdens at emea.mi4.org.uk
Tue Nov 6 11:51:25 GMT 2001


> - copy the logfile to a different file (sorta rotate it, but don't move
it)
> - restart the respective program or tell it to start a fresh log
> - invoke the analyzer(s) desired on the copied logfiles
>
> This way I've got plenty of time for log analysis. Drawback: I do have a
> blind spot of a few secs to a few mins. With some programs (my IDS for
> example) I can shorten that to a fraction of a second by restarting the
> service and instructing it to log to a different file/directory instead of
> copying the logfile. This still gives me a very tiny blackout of logging
> though. Anyone found a way around that? Granted, it's minor, but still...
> it's bad. :)

You could try hard linking the file, instead of copying it. That way both
files are identical. Then when the log file is rotated, the 'original' is
unlinked and the 'copy' [the hard link is suddenly transformed into a copy]
should be completely in sync.

  Pieter-Bas







More information about the list mailing list