RocketAgent new log formats

Beginning with Agent v1.5 Build 22429 and higher the log structure for agent logs is changing.

Here's what to expect.

 

  1. All logs are now stored in the installation directory under the /logs folder - c:\programfiles\rocketagent\logs
  2. Each thread within the agent will maintain its own log file named by its internal app name.
  3. Log files are limited in size to 2mb. When the log reaches the max size it is rotated by updating its name with a numerical indicator and a new log is created
  4. When a log is requested via the RocketCyber console for an agent, the agent will respond by zipping all available log files in the /logs directory
  5. The zip file containing logs will be named RocketAgent_(hostname)_logs.zip for easy identification when downloaded or sharing.
  6. The zip file will also contain a file called agent_status.json which has high level status information about the agent and its operating environment

Log Names are typically shortened versions of their corresponding app or thread name. The table below lists the current mapping of log names to apps and threads

 

App Name to Log Name Map

 

Log Name App or Thread Name Notes
AdSync.log Active Directory Monitor and Sync  
AdvBD.log Advanced Breach Detection  
CryptD.log Crypto Mining Detection  
CTM.log Cyberterrorist Network Connections  
discover.log Data Discovery In Beta/Private mode
DefenderManager.log DefenderManager  
ExchangeComp.log Microsoft Exchange Hafnium Exploit Detection  
host_vuln.log Host Based Vulnerability Scanner In Beta/Private mode
KernelService.log Kernel Service Thread Internal agent thread that communicates with agent kernel drivers
log4j_detector.log Log4j Detector  
MaliciousFileDetection.log Malicious File Detection  
print_nightmare_check.log Print Nightmare Hunt  
rocketagent.log RocketAgent  Core functions of the agent, like updating, responding to log requests, isolation etc
SNS.log Suspicious Network Services  
SusEvt.log Endpoint Event Log Monitor  
SusTool.log Suspicious Tools  
syslogsvr.log Firewall Log Analyzer  
SysPVfy.log System Process Verifier  
ThreatCheck.log Threat Check Thread Internal agent thread that scans PE files using machine learning model
ThreatHuntApp.log Threat Hunt App In Beta/Private mode
vsa_threat_check.log VSA Threat Check  
ws_manager.log Websocket Thread Internal agent thread that manages the websocket connection
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!