cmdReporter Wiki

2.2 - May 2019

New Features:

  • Remote endpoint logging over network
    • cmdReporter can now log directly to log aggregation servers
  • Kafka remote endpoint logging (Public Beta)
  • Logstash and REST API remote endpoint logging (Public Beta)
  • Spool remote endpoint logs to special log file when network unavailable and retry on an interval
  • Process parent/child mapping fields in exec events
"exec_chain_child":
{
    "parent_pid": 1105,
    "parent_uuid": "82044823-FD77-4553-919A-58B368E106A5"
},
"exec_chain_parent":
{
    "uuid": "BABA5C42-2963-4F28-83A4-8C0DD7DFD96F"
}
  • Return and Arguments text fully parsed into field mappings
  • Logic changed for <key>AuditEventExcludedProcesses</key> to only match the full path of the process, no regex interpretation
  • Verbose events logging preference added to enable/disable cmdReporter's smart logging filters

Bug Fixes:

  • Resolved preferences caching issue: In rare cases preferences were cached too long
  • Optimized events and event fields
  • Add version information to cmdReporter -T output
  • Tokenwatcher checks backed off to every 30 seconds to resolve duplicate check errors

New Preference Keys:

<key>AuditEventLogVerboseMessages</key>

<!-- # General Endpoint Logging -->
<key>LogRemoteEndpointEnabled</key>
<key>LogRemoteEndpointURL</key>
<key>LogRemoteEndpointType</key>

<!-- # REST-specific -->
<key>LogRemoteEndpointREST</key>
<dict>
  <key>PublicKeyHash</key>
</dict>

<!-- # Kafka-specific -->
<key>LogRemoteEndpointKafka</key>
  <dict>
    <key>TLSServerCertificate</key>
    <key>TLSClientPrivateKey</key>
    <key>TLSClientCertificate</key>
    <key>TopicName</key>
  </dict>


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.