Interacting with the Operation Log Table
Using the live activity log
Once you are on the log entries page, you will be presented with an empty table. The following sections outline how to interact with the table and log entries.
There will be times when you will need the log's unique ID. The ID number is always displayed at the top of the page, below the log's name.
To manually create an entry, click on the "Create a new entry" button in the top right corner:
Operation Log View Controls and Filtering
You will notice a new row is populated with the current UTC timestamps and your username in the Operator field.
New Log Entry with Pre-Populated Fields
You can modify fields by double-clicking the table row you want to edit. A modal form will open:
Modal Form for Editing a Log Entry
Once you submit a change, the edits will sync via WebSockets and be visible to anyone with the log open.
Copy and Delete Buttons for Log Entries
The Options column is home to two buttons: copy and delete. The copy button will create a clone of the selected entry. The delete button will remove the log entry.
Log entries contain fields useful for tracking but can be too much for a table view, especially if you're viewing the log in a smaller browser window or a VM. You can customize the columns displayed by clicking the Show/Hide Columns button and toggling columns on and off.
Table Column Selection and Customization
The log table provides a search bar to filter entries containing only the provided text. This filter helps you view log entries related to a specific user, host, or command. To use the filter bar, type in the keyword. The filter is applied as you type, so you can keep typing to narrow down the results further.
Filtering Log Entries Based on Keywords
Note that text search will include columns you may have hidden. The filter is also limited to the currently loaded log entries. If you don't find what you want, scroll down to load additional entries and try filtering again.
In the top right corner, there is a connection status indicator:
WebSockets Status Indicator
Since all entries are created/modified/deleted using WebSockets, a persistent connection is maintained. If the connection is ever lost, the connection status will turn red and indicate that the WebSocket connection is disconnected. When disconnected, you will not be able to create/modify/or delete any rows.
Like many objects in Ghostwriter, you can add tags to a log entry to help with filtering and tracking. The log table will change how certain tags appear in the table:
Example of Tags Displayed for a Log Entry
Tags that include:
ttpwill appear as red tags (e.g.,
credentialswill appear as yellow tags
vulnwill appear as green tags (e.g.,
detectwill appear as blue tags (e.g.,
objectivewill appear as purple tags (e.g.,
Additional styles may be added in the future for different tags. The development is open to suggestions.
By default, all new operation logs have notifications enabled. The optional Operation Log Monitor task handles notifications. If desired, a user with the
managerrole can mute notifications from the hamburger menu in the upper-right corner of the logging page.
Notification status is also displayed in the operation logs table:
Log Notification Status in the Logs Table