Logging
This article discusses the many different logs in Truxton and why.
Contents
Logging Design
There are several places and situations where things are logged. Truxton is designed to have a front-end GUI for humans to interact with as well as back-end systems that humans are not meant to see. This leads to different logging systems being employed for different purposes.
The Installer
The installer is made of two pieces, Truxton_Installer.exe
and Truxton.msi.
The executable will gather information about the system and use it to feed parameters to the Microsoft Installer.
The program will detail its every thought to the log file.
It will tell Microsoft Installer write to a log in the user's local app data Low
folder.
This folder is writable from the Microsoft Installer as it switches between user and Administrator mode.
Once the Microsoft Installer is finished, control is passed back to Truxton_Installer.exe
which will complete the installation steps.
The Desktop
The Analyst Desktop is a Windows application and writes events to the log during the execution of the program. Any errors or warnings that aren't worthy of displaying to the user are written here.
The desktop will log any significant user activity to the [InvestigatorAction]
table in the database.
This is the basis of the "Investigator Log" report.
The Truxton Service
Logs to the Application Log. This allows Windows monitoring and control processes keep track of what the service is doing. It is Microsoft's best practice for services to log to the event log. When in a cloud environment, these log messages are forwarded to a central monitoring service to detect any problems.
Off-Machine Logging
Truxton also uses syslog for high-volume situations. Typically, the more log messages you have, the less value they are. They produce a large amount of noise with just a few nuggets of information. If you turn this log on, you will see a steady stream of messages from every part of Truxton. This will allow you to follow each file created during exploitation as it flows through every ETL. You can use commercial syslog servers, Truxton's server or syslog running on a separate machine.
The Load Log
Load and all ETLs will write to the Load Log as well as syslog.
Since any number of processes running on any number of machines write to the Load Log, it doesn't physically exist until the load is finished.
This magic is accomplished by the different processes writing to the [Log]
table in the database.