logs

[jeanlk15]

when in the Graphic Interface X.X.X.2 of FG the logs "saved" can we delete old logs?

if we edit the config.ini how long before our changes are reflected?

thx for the help

[A3sal0n]

when in the Graphic Interface X.X.X.2 of FG the logs "saved" can we delete old logs?

Currently users cannot delete old logs/alerts using the web app gui. If you know how, this can be done manually when connecting over SSH to your device.

if we edit the config.ini how long before our changes are reflected?

Currently the sources listed in config.ini are queried every 4 hours.

[jeanlk15]

can you tell us which file(s) to delete from command line all history ? or send a >/dev/null to to clean out? I tried some database file but i had no permission to delete it for some reason, maybe it was locked or in use.

[easy4MEr]

I am currently working on webGUI enhancement, where in "Recent Alerts" you will be able to filter out based on "Reviewed" and "Not Reviewed" alerts. We do not see any added value in deleting alerts at the moment.

[easy4MEr]

jeanlk15, be on your spot I would definitely reinstall your tablet with different rom, based on your logs it seems your tablet have been compromised, please check this link for more references (http://www.broadanalysis.com/2017/03/15/rig-exploit-kit-via-the-eitest-delivers-dreambot-from-217-107-34-86/)

If you would like to have clean "Recent Alerts" just open "logs/alerts.sqlite" and delete all entries. :)

[jeanlk15]

i will delete the logs, because there is no such IP (192.168.2.87) with Tor (now) active on my network, maybe the logs are in someway updating 'last time' by mistake, just want to confirm this is not so..

i also wanted to clear active home devices ( devices registered on the rPi), is there a file for this somewhere to delete as well?

thx cat dev/null failed but deleting all entries in alerts.sqlite worked just fine

[A3sal0n]

hi @jeanlk15

I recommend the following:

• Login to your device over ssh
• Stop the FalconGate service $ sudo service falcongate stop
• Delete the homenet and alerts files $ sudo rm /opt/FalconGate/homenet.pkl /opt/FalconGate/logs/alerts.sqlite
• Stop the dnsmasq service $ sudo service dnsmasq stop
• Delete the dnsmasq leases file (this one contains all the devices registered with your FG's DHCP) $ sudo rm /var/log/dnsmasq.leases
• Start dnsmasq $ sudo service dnsmasq start
• Start FalconGate $ sudo service falcongate start

Once you execute the steps above you should have a clean FalconGate instance (without old logs). Be aware that few weeks ago we introduced an upgrade to the start script for the FalconGate service. If the command to stop the service won't work for you I recommend to deploy a fresh new image to your SD card from our downloads page or install it from scratch using our install script.

As @easy4MEr I also recommend you to check your tablet because it may have been infected with Tor-enabled malware. It's not normal for a device to communicate to multiple Tor nodes over a period of time, unless the device is running a Tor client. If you haven't installed a Tor client in your tablet and you haven't use it to test FalconGate's detection capabilities then there's a high probability that it's infected.

I hope this helps.

[A3sal0n]

You could create a script to read continuously from the alerts.sqlite and print to screen only the new alerts added to the database. This tutorial for Python can help you to get started: http://zetcode.com/db/sqlitepythontutorial/