Collecting Responder Log Files
XDR Forensics Responder Log Files
Section titled “XDR Forensics Responder Log Files ”XDR Forensics Responder categorizes and stores the log files as nine separate files as listed below. All associated log records are stored in the related log file.
- TACTICAL.Log.txt
- TACTICAL.Process.Log.txt
- TACTICAL.Error.txt
- AIR.Log.txt
- AIR.Process.Log.txt
- DRONE.log
- DRONE.Process.log
- WATCHDOG.Process.Log.txt
- WATCHDOG.Log.txt
The log files that are generated by XDR Forensics responders are stored under the directory that is given below.
| Windows | C:\Program Files\Cisco\Forensics\AIR |
|---|---|
| Linux | /opt/cisco/forensics/air |
| macOS | /opt/cisco/forensics/air |
By using the command line interface
Section titled “By using the command line interface”- Log in directly or connect remotely to the asset that XDR Forensics responder is installed on by the appropriate remote device management tool
- Browse to the directory which is mentioned above according to the associated operating system
- Download the files or view the contents of the files with relevant tools.
By using the user interface
Section titled “By using the user interface ”- Select the Assets button on the left of the main console menu
- Select the asset from which XDR Forensics responder logs are required
- Select ‘Logs’ from the bottom of the secondary menu
- Click on the ‘Collect Logs’ icon in the main Assets Logs page
This action creates a Task for collecting logs. After this log retrieval task is finished, the Task status will be changed to Completed, and it can be downloaded by clicking the icon on the right side of the green Completed bar. All available log files will be compressed as a single zip file and can be downloaded.
The Log Retrieval tasks can also be accessed in the Tasks section.