Minimum Viable Remote Logging

This project is an attempt to make a logging solution for simple use cases.

This script can do the following:

• Retrieve basic information
• Monitor processes
• Tail command output
• Copy files
• Tail logs

The primary reason for creating this is to monitor a machine for activity from naive malware or attackers, although it is better suited for cases without active interference.

All needed binaries are static so dependencies don't need to be installed on the remote system.

Server vs. client

The server is the central collection point where logs and files are sent. The client is run on the machine that's monitored. It connects to the server to transfer logs and files.

Building

Use the included build script to retrieve and build dependencies:

./build.sh

Then edit build/_output/client/client.pl and change $server_ip and $server_port to match the ip and port of the server.

Deploying

Server

To deploy on the server, you'll need to transfer the build/_output/server directory to the remote system, then cd to that directory and run:

sh start_server.sh

By default the server uses the ports 46515-46550. This can be changed in start_server.sh

Client

To deploy on the client, you'll need to transfer the build/_output/client directory to the remote system, then cd to that directory and run:

perl client.pl

Monitoring

Once the server is running and a client has connected, files will appear on the server in srv/clients/ with the following naming scheme:

• _auth-key - Key used to authenticate clients
• _files.log - Log of files as they are received on the server
• _info.txt - Contains basic information about the client
• _processes.log - Log of processes as they are run on the client
• F__filepath - Files that are transferred once
• L__logpath - Log files that are continuously transferred, new lines are transferred as they are written on the client
• C__commandname - Command output, continuously transferred

Logs can be monitored as they come in using lnav:

./lnav -r srv/clients