Log files
uac.log
The uac.log
file contains timestamped messages that include a log level and a corresponding message. This is the primary log used to track the actions performed by UAC during its execution. The level of detail in this log is affected by the --debug
option. When data collection is complete, this log is also included in the final output archive.
Level | Description |
---|---|
DBG | Debug messages |
INF | Informational messages |
ERR | Error messages |
CMD | Executed commands and their stderr output |
At the beginning of the file, UAC logs important information such as the command-line options used, operating system, system architecture, mount point, loaded configuration (from uac.conf
), available tools, and other environment details. These entries are logged at the INF
level.
Example:
2024-05-23 18:07:12 -0300 INF Unix-like Artifacts Collector
2024-05-23 18:07:12 -0300 INF UAC directory: /tmp/uac
2024-05-23 18:07:12 -0300 INF Command line: ./uac -p ir_triage -u -v /tmp
2024-05-23 18:07:12 -0300 INF Operating system: linux
2024-05-23 18:07:12 -0300 INF System architecture: x86_64
2024-05-23 18:07:12 -0300 INF Hostname: uac-suse-tumbleweed
2024-05-23 18:07:12 -0300 INF Mount point: /
2024-05-23 18:07:12 -0300 INF Running as: uac
2024-05-23 18:07:12 -0300 INF Temp Directory: /tmp/uac/uac-data.tmp
2024-05-23 18:07:12 -0300 INF Output format: tar
2024-05-23 18:07:12 -0300 INF Current PID: 6377
2024-05-23 18:07:12 -0300 INF PATH: /tmp/uac/tools/date_to_epoch_pl:/tmp/uac/tools/find_pl:/tmp/uac/tools/stat_pl:/tmp/uac/tools/statx/linux/x86_64:/tmp/uac/tools/zip/esxi_linux/x86_64:/tmp/uac/bin/linux/x86_64:/tmp/uac/bin/linux:/tmp/uac/bin:/usr/xpg4/bin:/usr/xpg6/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb:/usr/ccs/bin:/opt/bin:/opt/sbin:/opt/local/bin:/snap/bin:/netscaler:/opt/homebrew/bin:/usr/xpg4/bin:/usr/xpg6/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/ucb:/usr/ccs/bin:/opt/bin:/opt/sbin:/opt/local/bin:/snap/bin:/netscaler
2024-05-23 18:07:12 -0300 INF Loading uac.conf settings
2024-05-23 18:07:12 -0300 INF Exclude path pattern:
2024-05-23 18:07:12 -0300 INF Exclude name pattern:
2024-05-23 18:07:12 -0300 INF Exclude file system: 9p|afs|autofs|cifs|davfs|fuse|kernfs|nfs|nfs4|rpc_pipefs|smbfs|sysfs
2024-05-23 18:07:12 -0300 INF Hash algorithm: md5|sha1
2024-05-23 18:07:12 -0300 INF Max depth: 0
2024-05-23 18:07:12 -0300 INF Enable find mtime: true
2024-05-23 18:07:12 -0300 INF Enable find atime: false
2024-05-23 18:07:12 -0300 INF Enable find ctime: true
2024-05-23 18:07:12 -0300 INF Setting up tools and parameters
2024-05-23 18:07:12 -0300 INF find operators support: true
2024-05-23 18:07:12 -0300 INF find -path support: true
2024-05-23 18:07:12 -0300 INF find -size support: true
2024-05-23 18:07:12 -0300 INF find -maxdepth support: true
2024-05-23 18:07:12 -0300 INF find -perm support: true
2024-05-23 18:07:12 -0300 INF find -type support: true
2024-05-23 18:07:12 -0300 INF find -mtime support: true
2024-05-23 18:07:12 -0300 INF find -atime support: true
2024-05-23 18:07:12 -0300 INF find -ctime support: true
2024-05-23 18:07:12 -0300 INF find -print0 support: true
Once the collection begins, UAC logs each executed command on the target system using the CMD
level.
2024-05-23 18:07:12 -0300 INF Artifacts collection started
2024-05-23 18:07:12 -0300 INF Parsing live_response/process/ps.yaml
2024-05-23 18:07:12 -0300 CMD ps
2024-05-23 18:07:12 -0300 CMD ps auxwww
2024-05-23 18:07:12 -0300 CMD ps auxwwwf
2024-05-23 18:07:12 -0300 CMD ps -deaf
2024-05-23 18:07:12 -0300 CMD ps -ef
2024-05-23 18:07:12 -0300 CMD ps -efl
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,etime,args
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,lstart,args
2024-05-23 18:07:12 -0300 CMD ps -eo pid,user,cgroup
If a command produces an error (stderr), it will be logged on the same line, following the 2>
identifier.
2024-05-23 18:07:44 -0300 CMD uptime -s 2> uptime: invalid option -- 's'/nTry 'uptime --help' for more information.
2024-05-23 18:08:04 -0300 CMD fdisk -l 2> fdisk: cannot open /dev/vda: Permission denied
Acquisition log
After UAC completes execution, it generates a log file with detailed information about the acquisition process. This includes the case metadata and calculated cryptographic hashes (e.g., MD5 and SHA-1) for the output archive to verify data integrity.
Example:
Created by UAC (Unix-like Artifacts Collector)
[Case Information]
Case Number: 42
Evidence Number: 1
Description: Web server quick triage
Examiner: Duncan
Notes:
[System Information]
Operating System: linux
System Architecture: x86_64
Hostname: webserver01
[Acquisition Information]
Mount Point: /
Acquisition Started: Mon May 26 20:29:36 2024 -0300
Acquisition Finished: Mon May 26 20:35:56 2024 -0300
[Output Information]
File: uac-webserver01-linux-20240526202936.tar.gz
Format: tar
[Computed Hashes]
md5 checksum: 5c5305c81a13efdbb394b588da84951d
sha1 checksum: ab46c30b259bcbaa7ee9cdb64cae660d27ab98d2