Understanding new RocketAgent log formats
Beginning with Agent v1.5 Build 22429 and higher, the log structure for agent logs is changing.
Here's what to expect:
- All logs are now stored in the installation directory under the /logs folder - c:\programfiles\rocketagent\logs.
- Each thread within the agent will maintain its own log file named by its internal app name.
- Log files are limited in size to 2mb. When the log reaches the max size, it is rotated by updating its name with a numerical indicator and a new log is created.
- When a log is requested via the RocketCyber console for an agent, the agent will respond by zipping all available log files in the /logs directory.
- The zip file containing logs will be named RocketAgent_(hostname)_logs.zip for easy identification when downloaded or sharing.
- The zip file will also contain a file called agent_status.json, which has high level status information about the agent and its operating environment.
Log Names are typically shortened versions of their corresponding app or thread name. The table below lists the current mapping of log names to apps and threads.
App Name to Log Name Map
| Log Name | App or Thread Name | Notes |
|---|---|---|
| AdSync.log | Active Directory Monitor and Sync | |
| AdvBD.log | Advanced Breach Detection | |
| CryptD.log | Crypto Mining Detection | |
| CTM.log | Cyberterrorist Network Connections | |
| discover.log | Data Discovery | In Beta/Private mode |
| DefenderManager.log | DefenderManager | |
| ExchangeComp.log | Microsoft Exchange Hafnium Exploit Detection | |
| host_vuln.log | Host Based Vulnerability Scanner | In Beta/Private mode |
| KernelService.log | Kernel Service Thread | Internal agent thread that communicates with agent kernel drivers |
| log4j_detector.log | Log4j Detector | |
| MaliciousFileDetection.log | Malicious File Detection | |
| print_nightmare_check.log | Print Nightmare Hunt | |
| rocketagent.log | RocketAgent | Core functions of the agent, like updating, responding to log requests, isolation etc |
| SNS.log | Suspicious Network Services | |
| SusEvt.log | Endpoint Event Log Monitor | |
| SusTool.log | Suspicious Tools | |
| syslogsvr.log | Firewall Log Analyzer | |
| SysPVfy.log | System Process Verifier | |
| ThreatCheck.log | Threat Check Thread | Internal agent thread that scans PE files using machine learning model |
| ThreatHuntApp.log | Threat Hunt App | In Beta/Private mode |
| vsa_threat_check.log | VSA Threat Check | |
| ws_manager.log | Websocket Thread | Internal agent thread that manages the websocket connection |
