Site Server Log Accessibility
From version 7.6 and above of FTK, Site Server logs can now be configured to automatically be stored in a specific location. The log file itself will only contain information related to a specific job and not all existing jobs. This can be addressed with the addition of configuration keys that can be added in the ADGWeblabSelfHost.exe.config file in addition to the PowerShell script attached to this article.
Configuration Key
- SiteServerSourceLogFolder– This key allows users to set a specific folder for which the application will copy logs from.
- SiteServerDestinationLogFolder - This key allows users to set a specific folder for which the application will reference within the Collections page.
- SiteServerLogSyncIntervalInMinutes - This key allows users to set a specific time (in minutes)for which the application will sync between the source and destination folders.
How to configure these keys?
The key required for configuration can be added to FTKC 7.6 and above. It should be added to the configuration file located in the ADGWeblabSelfHost.exe.config file located in C:\Program Files\AccessData\Forensic Tools\7.6\bin.
Despite the parameters below being required in the PowerShell script, they are still required to allow the application to parse those particular log files, as the script itself is just automating the transfer of log files to a central source. Additionally, when the application parses these logs, it will categorize the hosts being targeted (create folders named after the host) and will then separate the logs into smaller chunks on a per job basis.
Key | Value | Syntax | Notes |
SiteServerSourceLogFolder | Value should be a path to a folder where site server logs are currently being stored. | <add key="SiteServerSourceLogFolder" value="\\<client private IP address>\<drive>\<sourcefolder>" />
| Path must be accessible by the service account. |
SiteServerDestinationLogFolder | Value should be a path to a folder which must be accessible by the service account. | <add key="SiteServerDestinationLogFolder" value="\\<client private IP address>\<drive>\<destinationfolder>" /> | |
SiteServerLogSyncIntervalInMinutes | Value should be a numerical value. | <add key="SiteServerLogSyncIntervalInMinutes" value="<time interval in minutes>"/> |
How to configure the PowerShell script?
Ensure you have downloaded the PowerShell script attached to the this article. It can be found at the bottom of this page.
This script must be implemented on the Application server. This server must have access to the relative component servers to access these log files, and if required, firewall exceptions should be created.
Within the provided PowerShell Script, the following variables need to be changed to your personal environment variables.
Value | Explanation |
$folders | The $folder variable represents the location from where you will be copying the log from (i.e. the Site Server log location) The Location should only contain the Machine IP and not the hostname. If required, users can add multiple hosts by using comma-separated values. |
$DestinationFolder | The $Destination folder variable represents the location where you will be storing the log. Note: This location has to be given in the Source Key value in the config file. |
Add Days | The $files variable represents from which day the log has to be copied (i.e. the value in AddDays(value) {value - contains value start from -1 }
Example: -1 represents present day and -2 represents present day and yesterday. |
Note: The Value on the $destination folder of the PowerShell Script will be the same as the path mentioned on the Source path within the config file.
Create a Windows Task Scheduler
- Open for Task Scheduler.
- Select the Task Scheduler Library.
- Right-click on it
- Click Create Task.
- Enter the Name and Description of the Task.
- Enable the Run with Highest Priority.
- Enable the option “Run whether the user is logged in or not”.
- Click on Triggers.
- Click New.
- Set the Schedule Time on which the task has to be triggered.
- Click on Actions and select New.
- In Program/script, enter “PowerShell” and on the Argument enter “-File<space>location of the PowerShell script.
- Click OK.
- Save the Task Scheduler by clicking OK.
- Right-click on the Created Task and Click Run.
Please provide the username and Password if asked during the task creation process, ensuring it is a domain-level service account.
This configuration doesn’t work?
- Ensure the Exterro service has been restarted.
- Ensure the config file has been saved.
- Ensure a sqlite file is created within the destination folder.
- Ensure the syntax is correct.
- Ensure the version you are testing this on is 7.6 and above.