It's important to ensure [log][file][path] is groked before cs_makebeaconlogpath.rb , otherwise there will be a misalignment between the Implant URL, [implant][log_file] and [log][file][path] for beacons that are running for multiple days as the [log][file][path] will take the value from where the beacon was first established as shown below.
I also have issue, accessing the beacon logs via Kibana due to permission issues, and prior to this, I solved it by adding a cron job that does chown every min which is messy. By making the /var/www/html/cslog folder owned by redelk:www-data would make more sense since only redelk is making changing to the folders and SGID is set to propagate www-data group ownership for files created subsequently without having to chmod/chown down the road..
Lastly I had issue with the RedELK cron job not activating in redelk-base due to permissive file permission and I changed it to 600 to make sure only the file owner can make changes to it.
It's important to ensure
[log][file][path]
is groked beforecs_makebeaconlogpath.rb
, otherwise there will be a misalignment between the Implant URL,[implant][log_file]
and[log][file][path]
for beacons that are running for multiple days as the[log][file][path]
will take the value from where the beacon was first established as shown below.I also have issue, accessing the beacon logs via Kibana due to permission issues, and prior to this, I solved it by adding a cron job that does
chown
every min which is messy. By makingthe /var/www/html/cslog
folder owned byredelk:www-data
would make more sense since onlyredelk
is making changing to the folders and SGID is set to propagate www-data group ownership for files created subsequently without having to chmod/chown down the road..Lastly I had issue with the RedELK cron job not activating in redelk-base due to permissive file permission and I changed it to 600 to make sure only the file owner can make changes to it.