Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DShield Sensor SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DShield Sensor
I've started submitting my logs recently and I think I've now timed it correctly so that dshield.py runs a few hours after my logs have rotated, and the rotated log (messages.1) is the one that is submitted.

However, I've logged in today and it only shows ~300 entries (which date from about midnight Aug 21, up to 3AM when the logs are rotated).
My logs are rotated as follows each morning:

3AM UK Time - Logs rotated
7AM UK Time - Rotated Logs submitted

Therefore the rotated logs for today contained entries for yesterday (Aug 20th from 3AM) all the way up to 3AM on Aug 21st. But I can only see August 21st logs when I login to the website?

When setting up dshield.py, I've reviewed the test emails it sent me and it definitely parses the logs spanning the two days, so is it the case it's likely failed to send ISC two days worth of logs on this occasion, or does ISC reject logs that are not the current date?

Thanks.
Thomas

1 Posts

Sign Up for Free or Log In to start participating in the conversation!